Researchers link Industroyer to NotPetya

ESET researchers believe they have found evidence that the TeleBots APT was behind the December 2016 attacks against the Ukraine energy sector that resulted in blackouts throughout the country: a backdoor dubbed Exaramel.

The missing evidence

With APT groups and the malware they deploy getting named differently by the various AV vendors, it’s sometimes difficult to follow the connections.

This diagram shared by the researchers can help:

Industroyer NotPetya link

“We have observed and documented ties between the BlackEnergy attacks – not only those against the Ukrainian power grid but against various sectors and high-value targets – and a series of campaigns (mostly) against the Ukrainian financial sector by the TeleBots group,” they shared.

“In June 2017, when many large corporations worldwide were hit by the Diskcoder.C ransomware (aka Petya and NotPetya) – most probably as unintended collateral damage – we discovered that the outbreak started spreading from companies afflicted with a TeleBots backdoor, resulting from the compromise of the popular financial software M.E.Doc.”

There was always speculation that the Industroyer attacks were perpetrated by the TeleBots (aka Sandworm) group, which is believed to be the same group that wielded the BlackEnergy malware toolkit in 2015. But the discovery and analysis turned that speculation into considerable likelihood.

“The strong code similarity between the Win32/Exaramel backdoor and the Industroyer main backdoor is the first publicly presented evidence linking Industroyer to TeleBots, and hence to NotPetya and BlackEnergy,” the researchers noted.

“While the possibility of false flags – or a coincidental code sharing by another threat actor – should always be kept in mind when attempting attribution, in this case we consider it unlikely.”

ESET detected Exaramel in April 2018 at an organization that is not an industrial facility.

As usual, the company has chosen not to speculate on whether the BlackEnergy/TeleBots group is getting its orders from a nation-state or not.

Earlier this year, the US, UK and Australia officially stated that they believed that Russia was behind the NotPetya attacks.