BlackEnergy successor targets critical infrastructure

malware detection (Alexander Yakimov/ 

The infamous BlackEnergy toolkit that crippled the electrical grid in the Ukraine in 2015 has a virulent successor that is busy stalking critical infrastructure industrial control systems, according to new research by cybersecurity firm ESET.

The new toolkit, which ESET calls "GreyEnergy," is wielded by the advanced persistent threat  (APT) group of the same name. Both are linked to the "Telebots" group responsible for the NotPetya malware that crippled hundreds of commercial networks around the globe in 2017. Intelligence officials in the U.S. and elsewhere attributed that attack to the Russian military.

ESET didn't name GreyEnergy's country of origin but said it is most likely an upgrade to the 2015 BlackEnergy, using a similar design that targets industrial control systems and similar operating methods. The upgrade was probably to cover the tracks left by the BlackEnergy attack, according to ESET analysis.

For the last three years, ESET researchers said, GreyEnergy has intentionally stayed under the radar "focusing on espionage and reconnaissance, quite possibly in preparation of future cybersabotage attacks or laying the groundwork for an operation run by some other APT group."

While the Telebots group remains primarily focused on industrial and financial networks in Ukraine, GreyEnergy, like BlackEnergy, has pushed out beyond those borders to probe critical infrastructure in other countries. ESET said that in late 2015, it spotted GreyEnergy malware targeting an energy company in Poland. It didn't identify the company.

GreyEnergy uses phishing email or holes in public-facing websites running on servers connected to an internal network to get around security, according to ESET.

One of GreyEnergy's more disturbing details uncovered in malware samples was a signed valid digital certificate "that had likely been stolen from a Taiwanese company that produces ICS equipment," ESET said. That exploit was used by the Stuxnet worm that crippled the Iranian nuclear program's ICS in 2010.

"It is certain that the threat actors responsible for GreyEnergy are extremely dangerous in their persistence and stealth,"  ESET's paper said.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at [email protected] or follow him on Twitter at @MRockwell4.


  • FCW Perspectives
    remote workers (elenabsl/

    Post-pandemic IT leadership

    The rush to maximum telework did more than showcase the importance of IT -- it also forced them to rethink their own operations.

  • Management
    shutterstock image By enzozo; photo ID: 319763930

    Where does the TMF Board go from here?

    With a $1 billion cash infusion, relaxed repayment guidelines and a surge in proposals from federal agencies, questions have been raised about whether the board overseeing the Technology Modernization Fund has been scaled to cope with its newfound popularity.

Stay Connected