lolloj - Fotolia

Industroyer, NotPetya linked to TeleBots group by ESET researchers

News roundup: An APT group called TeleBots group was linked to Industroyer malware and NotPetya ransomware, according to researchers. Plus, Imperva is acquired by Thoma Bravo and more.

New evidence has been disclosed that links Industroyer malware with the same group behind the NotPetya ransomware.

Researchers at ESET, a cybersecurity company headquartered in Bratislava, Slovakia, found evidence that connects the two major threats. The Industroyer malware, also known as CrashOverride, was responsible for attacks on Ukraine's power grid in 2016. And NotPetya was considered the most destructive ransomware in 2017 after using the EternalBlue exploit to infect thousands of computers in more than 100 countries within a few days.

Now, ESET researchers have connected the two to the same advanced persistent threat (APT) group through a third strain of malware they call the Win32/Exaramel backdoor. Exaramel -- which was used in a different hack this year -- Industroyer and NotPetya all originated from the infrastructure of a group ESET called the TeleBots group.

ESET said it had been tracking the activity of the APT group behind a separate 2015 energy grid attack on Ukraine, called BlackEnergy, and the group behind BlackEnergy evolved into TeleBots. The researchers had also previously discovered ties between BlackEnergy and NotPetya.

In April 2018, ESET noticed the TeleBots group attempting to create Exaramel, which they analyzed and characterized as essentially an "improved version" of Industroyer.

"We're drawing connections based on technical indicators such as code similarities, shared [command-and-control] C&C infrastructure, malware execution chains, and so on," ESET explained in a blog post.

The researchers also noted that TeleBots group used C&C servers with domain names meant to look like they belong to ESET.

"It is important to note that these attacker-controlled servers are in no way related to ESET's legitimate server infrastructure," the company wrote. "Currently, we haven't seen Exaramel use domains that mimic other security companies."

"The strong code similarity between the Win32/Exaramel backdoor and the Industroyer main backdoor is the first publicly presented evidence linking Industroyer to TeleBots group, and hence to NotPetya and BlackEnergy," ESET explained. "While the possibility of false flags -- or a coincidental code sharing by another threat actor -- should always be kept in mind when attempting attribution, in this case we consider it unlikely."

ESET did not go as far as attributing the TeleBots group to any particular threat actor or nation state, though NotPetya has been previously linked to Russia.

In other news:

  • Private equity firm Thoma Bravo announced this week it will acquire cybersecurity company Imperva for $2.1 billion. Imperva is a software and services company headquartered in Redwood Shores, Calif., that provides distributed denial-of-service protection, web application firewalls and other security tools. Imperva will still operate as a privately held company. Thoma Bravo has acquired several cybersecurity companies this year, including SIEM vendor LogRhythm, firewall provider Barracuda Networks, and identity and access management vendor Centrify.
  • Experian's website exposed confidential PINs needed to unlock accounts with credit freezes in place. NerdWallet's Liz Weston reported last week that Experian's website would expose a user's PIN after their security verification questions were all answered with "none of the above." With the PIN, an account with a credit freeze in place could then have it removed, and lines of credit could be opened on the account. Malicious actors would still need to fill out the PIN-retrieval form with the account holder's name, address, date of birth and Social Security number. But, as Weston pointed out, that's exactly the type of information that has been exposed in previous credit agency breaches -- like last year's massive Equifax breach -- so that information could be found easily on the web or dark web. There is no evidence, as of this writing, that this flaw was exploited, or that Experian customer data had been accessed or used maliciously.
  • California signed a new law that imposes restrictions on IoT and other connected devices. California Gov. Jerry Brown signed the bill on Sept. 28, 2018, that bans the use of default admin passwords on IoT devices. The law, which will go into effect on Jan. 1, 2020, applies to devices sold in the state and requires device manufacturers to use stronger passwords. The Information Privacy: Connected Devices law also sets requirements for security controls on all devices that connect to the internet via IP or Bluetooth. The law also requires that every device has a unique password and that there must be a way for a user to "generate a new means of authentication" before accessing the device for the first time.

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing