The GreyEnergy APT (Advanced Persistent Threat) is believed to be the successor of the largely destructive hacking group known as the BlackEnergy APT. There are several reasons why cybersecurity experts believe these two hacking groups to be related:
- The GreyEnergy hacking group emerged about the same time as the BlackEnergy APT vanished from the world of cybercrime.
- Both the GreyEnergy and BlackEnergy APTs tend to operate with flexible, light-weight hacking tools that are modified and controlled easily.
- Most of the efforts of both hacking groups are concentrated in Poland and Ukraine.
- They both tend to target critical sectors like industrial or energy-related institutions.
- The infrastructure built and used by both GreyEnergy and BlackEnergy APT seems to be very closely related.
However, the individuals who appear to be behind both these hacking groups seem to have changed their tactics. For the most part, BlackEnergy was known for its very destructive tendencies and seemed to care little about hiding its tracks or laying on the down-low. This is in utter contrast to the approach that the GreyEnergy APT has taken. They are much more careful about remaining under the radar of malware researchers, and the threats they propagate are less noisy and destructive. It has been noticed that many of the campaigns carried out by the GreyEnergy group involve a mini backdoor Trojan, which is used as a gateway for the attackers to plant a more potent threat on the infiltrated host. To ensure their threats operate as silently as possible, the GreEnergy APT has been utilizing fileless malware. Furthermore, the GreyEnergy hacking group has been working on several ‘malware wipers.’ These tools enable the malware operators to erase any traces of harmful activity that may remain on the victim’s system.
In the past, the BlackEnergy group aimed to wreak havoc, while the GreyEnergy APT that is operational today concentrates on spying campaigns mostly. Once the GreyEnergy group infiltrates a system, they are likely to stay on the down-low and collect information from the host via recording keystrokes, taking screenshots of the desktop, siphoning files of interest, collecting documents, gathering login credentials, and other data. Sometimes, instead of using privately developed hacking tools, the GreyEnergy APT would utilize publicly available genuine applications such as Mimikatz, WinExe, PsExec, Nmap, etc.
It is interesting to see a hacking group changing tactics so radically. Taking a much quieter approach was likely done so that the individuals involved in this would be able to continue their operations and minimize the chances of getting caught by the authorities. We will continue to hear about the activities of the GreyEnergy APT in the future, probably.