Security researchers found that Industroyer and NotPetya belong to the Russian hacker group

Malware analysts at cybersecurity company ESET have recently found substantial evidence that the cyber attack against the Ukrainian grid and the NotPetya ransomware that broke out in June 2017 are the same organisation.

The two are not directly related, but the researchers discovered it through a malware called Exaramel in a hack in April this year. The Exaramel backdoor was deployed from Telebots’ server infrastructure, which is the infrastructure on which NotPetya ransomware relies.

In the analysis report, ESET called the Exaramel backdoor “a modified version of the backdoor component” that was part of the industrial control systems (ICS) malware Industroyer, which caused a blackout in Ukraine in December 2016. Although this connection has been speculated before, there is no substantial evidence that Exaramel’s findings confirm the researchers’ ideas.

The picture below shows ESET researchers speculating on the evolution of the BlackEnergy Group, which in the year before Industroyer also attacked the Ukrainian grid in December 2015.

 

Considering the reports that have linked NotPetya to BlackEnergy attacks since July 2017, it can be said that the behind-the-scenes push for all attacks in the above picture belongs to the same organisation. ESET’s findings provide factual and technical evidence for the recent allegations made by Western governments.

In February of this year, the governments of the Five Eyes Alliance countries all accused Russia of planning the outbreak of NotPetya ransomware. Earlier this month, the United Kingdom and Australia issued a statement accusing the Russian main intelligence service (GRU) of the Russian armed forces of the military intelligence agencies of multiple cyber attacks. The report said that Russia’s Main Intelligence Directorate (GRU) is behind a series of cyber espionage organisations and hacking, the names listed include Sandworm and BlackEnergy, which are used as alternatives to TeleBot in numerous reports in the cybersecurity industry.

ESET’s research provided strong support for government reports. Russia created malware in 2015 and 2016 to target the Ukrainian grid, and later deployed NotPetya ransomware for Ukrainian companies, which annexed Crimea and supported western Ukraine. Part of the pro-Russian rebels in the region.