Kaspersky Lab experts have identified an overlap in cyberattacks carried out by two infamous threat actors — GreyEnergy, which is believed to be a successor of BlackEnergy, and the Sofacy cyberespionage group. The researchers found that both actors used the same servers simultaneously, but used them for different purposes.

The BlackEnergy and Sofacy hacking groups are considered to be two of the most prominent actors in the modern cyberthreat landscape, and both of their past activities have led to devastating consequences on a national level. In 2015, BlackEnergy inflicted one of the most notorious cyberattacks in history against Ukrainian energy facilities, which led to widespread power outages. Sofacy has caused havoc with multiple attacks against U.S. and European governmental organizations, as well as national security and intelligence agencies.

It has previously been suspected that there was a connection between BlackEnergy and Sofacy. This connection has now been established through GreyEnergy – BlackEnergy’s successor – which was found to be using malware to attack industrial and critical infrastructure targets mainly in Ukraine, and demonstrated some strong architectural similarities with BlackEnergy.

Kaspersky Lab ICS CERT found two servers hosted in Ukraine and Sweden, which were used by both threat actors simultaneously in June 2018. GreyEnergy used the servers during a phishing campaign to store a malicious file, which was downloaded by victims as they opened a text document attached to a phishing email. At the same time, Sofacy used the server as a command and control center for their own malware. As both groups used the servers for a relatively short time, this suggests a shared infrastructure. This suspicion was confirmed when both threat actors were observed targeting the same company with spear-phishing emails just one week apart. Furthermore, both groups used similar phishing documents under the guise of emails from the Ministry of Energy of the Republic of Kazakhstan.

"The compromised infrastructure found to be shared by these two threat actors potentially points to the fact that the pair not only have the Russian language in common, but that they also cooperate with each other,” said Maria Garnaeva, security researcher at Kaspersky Lab ICS CERT. “It also provides an idea of their joint capabilities and creates better picture of their plausible goals and potential targets. These findings add another important piece into public knowledge about GreyEnergy and Sofacy. The more the industry knows about their tactics, techniques and procedures, the better security experts can do their job in protecting customers from sophisticated attacks."

To stay protected against attacks from sophisticated threat actors, Kaspersky Lab suggests the following tips for businesses:

Read the full version of the Kaspersky Lab ICS CERT report here.

Kaspersky Lab is a global cybersecurity company, which has been operating in the market for over 21 years. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into next generation security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them.