Cybersecurity researchers from Slovakian cyber-security firm ESET have found a rock-solid proof behind the fact that the cyber-attacks executed against the Ukrainian power were the same group behind the NotPetya ransomware outburst that occurred in June 2017.
However, the link isn’t a direct one, but it was identified via third malware strain noticed in a different hacking operation in April this year.
As per the researchers, this malware —the Exaramel backdoor—was implemented from the server infrastructure of TeleBots, the same group that hold the roots of NotPetya ransomware.
After months of analysis, ESET released a report stating that Exaramel backdoor “is an upgraded version” of the backdoor component that Industroyer had, a similar malware type that aims industrial control systems (ICS) and which was then exploited to cause power outages in Ukraine in December 2016.
Previously such links were only a subject of speculation, never ascertained with trustworthy facts. ESET said owing to the latest discovery of Exaramel, such links can be identified.
The image below illustrates ESET researchers’ findings towards the TeleBots group, which according to them is a growth of the BlackEnergy group which in the same way attacked Ukraine’s power grid a year before Industroyer in December 2015.
Considering a multi-sourced report from July 2017 that showed the connection between BlackEnergy attacks and NotPetya, we can with certainty say that the same threat actor is behind all the attacks listed in the image posted above.
ESET’s discovery comes at the exact moment with technical and factual proof to contradict the recent accusations made by the Western government.
Earlier this year the Russian government was falsely accused of organizing the NotPetya ransomware outbreak by all Five Eyes governments.
U.K. and Australia have made statements against Russia’s Main Intelligence Directorate (GRU) accusing them of a horde of cyber-attacks.
Those statements claim that the Russian GRU was behind the hacking operations and the series of cyber-espionage. The report containing the names also had BlackEnergy and Sandworm—the names that have been frequently used as substitutes for TeleBots in various reports from the private cyber-security industry.
When the reports concerning Industroyer ICS malware were first published in June 2017, the researchers of ESET made no formal attribution or speculation to any specific country.
However, in the recent reports too ESET turned away from making any formal attribution of TeleBots as a Russian state-hacking operation.
The ESET research verifies some of the allegations that have been made in the governmental reports and came from government spokespersons mouth stating that Russia purposely created a malware to bring down the Ukrainian power grid in 2015 and 2016 as well. They later went on to deploy the NotPetya malware against the companies of Ukraine as a part of the resentments the two countries have for each other after Russia annexed Crimea and Russia providing support to pro-Russian rebels in the western regions of Ukraine.
One of the ESET malware analysts who identified Industroyer, attended a press conference earlier this year and stated that it was the only malware which was “specifically designed to attack the power grid” and “the most sophisticated, the biggest threat to industrial control systems since Stuxnet.”