Malware researchers from ESET have found the right evidence that cyber attacks on the energy network throughout Ukraine were initiated by the same group as the massive outbreak of NotPetya ransomware attacks in June 2017.
We managed to connect them with each other through the third malware – the Exaramel backdoor, which appeared in April 2018. In fact, this is an improved version of the Industoyer backdoor , which caused a massive outage throughout Ukraine in 2016. The year before, the same effect had an attack, called BlackEnergy . Exaramel was removed from the server infrastructure of the Telebots group, NotPetya came from their own servers at the time.
This is not the first time security experts have linked all these attacks. Previously, researchers from ESET and Kaspersky Lab built their guesses on the overall infrastructure and similarities of TTP (Tactics, Techniques, and Procedures – tactics, techniques and procedures), but this is not so reliable, because an attacker’s behavior can change, or he can learn another hacker.
This time, the source itself indicates the coincidence of the source, as well as the general infrastructure of the management and control servers (C2) and the order of execution of the malicious code. Exaramel and Industroyer both use a file for the report, where they write output of executed shell commands and running processes. In general, this is similar to the behavior of the two variants of malware, like their code itself, which even partially coincides.