ESET discovers links between two of the largest attacks on global cybersecurity

Researchers from the cybersecurity company found evidence of a connection between the false ransomware NotPetya and Industroyer malware, responsible for blackouts in Critical infrastructures.

ESET, a leader in proactive threat detection, discovered evidence that would reveal a connection between the well-known group of cybercriminals Telebots and Industroyer, the most powerful malware that targets critical infrastructures discovered so far, and responsible for the electrical supply cuts in the main region of Ukraine in 2016.

Telebots has already demonstrated its potential with another of its creations, NotPetya, a malware that erases specific sections of the disc leaving useless a computer and that, simulating being a ransomware, interrupted the activity of the companies on a worldwide scale in 2017. Similarly, this group of organized cybercriminals seem to be linked to BlackEnergy, another malware aimed at attacking critical infrastructures, which has already provoked cuts in the Ukrainian electrical system in 2015 (anticipating the intentions of what would happen a year later on a larger scale with Industroyer).

“The speculations about the connection between Industroyer and the Telebots group arose shortly after the malware hit Ukraine,” explains ESET researcher Anton Cherepanov, responsible for conducting research on Industroyer and NotPetya. “However, no evidence between the two had been publicly recognised so far.”

In April 2018, ESET discovered the new activities of the cybercriminals group by developing these a new backdoor that the cybersecurity company detected as Exaramel. The analysts then pointed out that this backdoor was an improved version of Industroyer and, therefore, the first evidence of the connection between the group and this attack *.

“The discovery of Exaramel shows that the Telebots group remains active today and the attackers continue to improve their tools and tactics,” continues Cherepanov. “We will continue to monitor your activity to protect our users,” concludes the researcher.