First malware directly affecting industrial control systems traced to one cybercriminal group
ESET, specialists in cybersecurity research and a European Union-based endpoint security company, has discovered evidence linking the infamous cybercriminal group TeleBots to Industroyer.
This is said to be the most powerful modern malware targeting industrial control systems and the culprit behind the electricity blackout in Ukraine’s capital, Kiev, in 2016.
TeleBots demonstrated its impact with NotPetya, the disk-wiping malware that disrupted global business operations in 2017, and its ties with BlackEnergy, which was deployed in the first-ever malware-enabled blackout in Ukraine in 2015 (predating the Industroyer-induced blackout by one year).
“Speculation about the connection between Industroyer and TeleBots emerged shortly after Industroyer hit Ukraine’s power grid,” says ESET researcher Anton Cherepanov, who led both the Industroyer and NotPetya research investigation. “However, no supporting evidence was publicly recognised – until now.”
In April 2018, ESET discovered fresh activity from the TeleBots group: an attempt to deploy a new backdoor, which ESET detects as Exaramel. ESET’s analysis suggests that this backdoor is an improved version of the main Industroyer backdoor – the first piece of evidence linking Industroyer to TeleBots.
“The discovery of Exaramel shows that the TeleBots group is still active in 2018 and the attackers keep improving their tools and tactics,” concludes Cherepanov. “We will continue to monitor the activity of this group.”
For more information see ESET’s blog, WeLiveSecurity.