Hackers accused of ties to Russia hit three East
European companies: cybersecurity firm
Send a link to a friend
 [October 17, 2018]
By Jack Stubbs
BRATISLAVA (Reuters) - Hackers have infected three energy and
transport companies in Ukraine and Poland with sophisticated new malware
and may be planning destructive cyber attacks, a software security firm
said on Wednesday.
A report by researchers at Slovakia-based ESET did not attribute the
hacking activity, recorded between 2015 and mid-2018, to any specific
country but blamed it on a group that has been accused by Britain of
having links to Russian military intelligence.
The report is the latest to raise suspicions in the West about Russia's
GRU spy agency, accused by London of conducting a "reckless campaign" of
global cyber attacks and trying to kill a former Russian spy in England.
Moscow denies the charges.
Investigators at ESET said the group responsible for a series of earlier
attacks against the Ukrainian energy sector, which used malicious
software known as BlackEnergy, had now developed and used a new malware
suite called GreyEnergy.
ESET has helped investigate a series of high-profile cyber attacks on
Ukraine in recent years, including those on the Ukrainian energy grid
which led to power outages in late 2015.
Kiev has accused Moscow of orchestrating those attacks, while U.S.
cybersecurity firm FireEye says a group known as Sandworm is thought to
be responsible. Britain's GCHQ spy agency said this month that
BlackEnergy Actors and Sandworm are both names associated with the GRU.
"The important thing is that they are still active," ESET researcher
Robert Lipovsky told Reuters. "This shows that this very dangerous and
persistent 'threat actor' is still active."
Kremlin spokesman Dmitry Peskov said there was no evidence to support
the allegations against the GRU and that Russia does not use cyber
attacks against other countries.
"These are just more accusations. We are tired of denying them, because
no one is listening," he said.
After infection via emails laced with malicious weblinks or documents -
a tactic known as "spear phishing" - or by compromising servers exposed
to the internet, GreyEnergy allowed the attackers to map out their
victim's networks and gather confidential information such as passwords
and login credentials, ESET said.
Lipovsky said his team then saw the hackers seek out critical parts of
the companies' systems, including computers which ran industrial control
processes.
"It is my understanding that this was the reconnaissance and espionage
phase, potentially leading up to cyber sabotage," he said.
[to top of second column] |
A woman is silhouetted at the ESET booth during preparations at the
CeBit computer fair in Hanover, March, 4, 2013. REUTERS/Fabrizio
Bensch/File Photo
GLOBAL HACKING CAMPAIGN
The ESET report did not name the three companies infected in Ukraine and Poland,
and Reuters was unable to identify them.
Ukraine's Cyber Police confirmed the attacks on two Ukrainian companies but
declined to give any further details. Poland's Internal Security Agency declined
to comment.
Ben Read, a senior manager on FireEye's espionage analysis team, said his own
work corroborated ESET's report and that the Sandworm group was probably
responsible.
The activity "is similar to the group we track as Sandworm," he said. "And
activity that we attribute to Sandworm has been named by the U.S. Department of
Justice as being the GRU."
Western countries including Britain and the United States issued a coordinated
denunciation of Russia as a "pariah state" this month for what they described as
a global hacking campaign run by the GRU.
GRU hackers have targeted institutions ranging from sports anti-doping bodies to
a nuclear power company and the world chemical weapons watchdog, they said, as
well as releasing the devastating "NotPetya" cyber worm which caused billions of
dollars of damage worldwide in 2017.
The GRU, now formally known in Russia by a shorter acronym GU, is also accused
by Britain of carrying out a nerve agent attack in England on former GRU officer
Sergei Skripal. Moscow's relations with the West have hit a post-Cold War low
over Russia's role in the conflicts in Ukraine and Syria.
Lipovsky and fellow ESET researcher Anton Cherepanov said the BlackEnergy
attackers' decision to upgrade to the new GreyEnergy malware may have been
motivated by a need to cover their tracks and deflect attention from their
activities.
The power outages triggered by the BlackEnergy attacks in Ukraine in December
2015 drew international attention and are recognised as the first blackout
caused by a cyber attack.
"Threat actors need to switch up their arsenal from time to time," Lipovsky
said.
(Additional reporting by Pavel Polityuk in KIEV, Anna Koper in WARSAW, Christian
Lowe and Margarita Popova in MOSCOW; Editing by Jim Finkle and Timothy Heritage)
[© 2018 Thomson Reuters. All rights
reserved.] Copyright 2018 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content. |
