Zebrocy. A new APT group affecting ICS environments and government agencies?
Is there really an overlap between the TTPs (Tactics, Techniques, and Procedures) of GreyEnergy and Sofacy? Has a new group called Zebrocy really emerged?
In November 2014, we published this entry in which we described how the APT Sandworm (mainly through the BlackEnergy group) affected transactional systems of government bodies (NATO, Ukrainian government, etc…) between June and October 2014 and how between November 2014 and the first months of 2015 it used certain SCADA systems (CIMPLICITY HMI mainly) as an attack vector to compromise industrial environments.
A few years later, in October 2018, the company ESET published this report which included the activity of the so-called GreyEnergy group, as the successor to the BlackEnergy group. GreyEnergy also acted by exploiting vulnerabilities in industrial systems, located mainly in Ukraine.
On the other hand, the APT group called Sofacy (or APT28) is known for its cyber espionage activities. Recently, Kaspersky has identified an overlap between the working methods of the GreyEnergy and Sofacy groups, calling this emerging group Zebrocy.
Zebrocy’s targets are government companies located in different countries in the Middle East, Europe, and Asia.
The main discovery made is that both GreyEnery and Sofacy are using the same servers at the same time and targeted similar organizations.
Is there really an overlap between the TTPs (Tactics, Techniques, and Procedures) of GreyEnergy and Sofacy? Has a new group called Zebrocy really emerged?
We show below some interesting details.
C2 servers used by both Zebrocy and GreyEnergy: It has been shown that these servers have been used interchangeably by both groups:
- Server 193.23.181[.]151 used by Zebrocy and GreyEnergy in June 2018.
- Server 185.217.0[.]124 used by GreyEnergy between May and June 2018 and by Zebrocy in June 2018.
Common document used by Zebrocy and GreyEnergy to conduct a spearfishing campaign called “Seminar.rtf”.
Common target of both groups: Companies in the industrial and government sectors of Kazakhstan.
After these evidences, the relationship between GreyEnergy and a possible split from Sofacy, which has been called Zebrocy, seems probable.
If you need more information about the APT groups that target industrial environments and/or critical infrastructures and you need to know what countermeasures you can implement to mitigate their possible consequences in the event of security incidents, please contact us.
Source: Karpesky Lab ICS CERT
