On Friday, three cyber-security firms have come forward with reports or statements that link the NotPetya ransomware outbreak to a cyber-espionage group known for a large number of past cyber-attacks, such as the one on Ukraine's power grid in December 2015.

The group behind all these attacks has been active since 2007 and is tracked under different names, such as Sandworm, BlackEnergy, and most recently as TeleBots, while other lesser known names include Electrum, TEMP.Noble, and Quedagh.

Group has a long history of hacking

Despite becoming famous for using a Windows zero-day (CVE-2014-4114) against NATO and government organizations in 2014, the group is mainly known for two things: attacks on industrial infrastructure and their recent focus on Ukraine.

The group usually targets networks with SCADA equipment [1, 2] via a malware strain named BlackEnergy (v1, v2, and v3 - deployed since 2007).

While the group initially went after targets all over the globe, in 2014, the group started focusing most of its operations against Ukraine, shortly after Russia occupied the Crimean Peninsula [1].

Its most infamous attack remains the power blackout caused across western Ukraine around Christmas 2015 [1, 2]. While this attack gained the most media attention, the group also targeted the country's airports, media organizations, banks, railroad, and mining companies, in wave after wave of attacks [1, 2, 3].

The BlackEnergy malware was used against industrial targets, but for attacks on other organizations, the group relied on social engineering, spear-phishing, and macro malware.

Group previously developed KillDisk wiper (fake ransomware)

One distinctive malware associated with this group is KillDisk. This is malware designed to destroy infected computers, meant to allow for industrial sabotage or covering the tracks of a cyber-attack. The group has long used this tool to attack its targets, but attacks with KillDisk ramped up this past winter.

According to various reports, in December 2016, researchers reported seeing new versions of the KillDisk malware that came with a ransomware component, allowing it to "pass" as a ransomware infection.

Initial versions of this KillDisk ransomware component were crude and didn't even ask for a ransom, only showing an image from the Mr.Robot TV show.

Picture displayed by KillDisk component [Source: ESET]
Picture displayed by KillDisk component [Source: ESET]

Later, the group updated the KillDisk ransomware component with a ransom note but requested an absurd amount of money from victims (222 Bitcoin, or around $215,000 at the time). This huge ransom demand indicates that the group was never interested in money or expected victims to pay, something that researchers also said about NotPetya.

KillDisk ransom note [Source: CyberX]
KillDisk ransom note [Source: CyberX]

Later, the same KillDisk malware was also ported to Linux. Most of these KillDisk attacks where the ransomware component was deployed were at Ukrainian banks and sea transportation companies, consistent with the group's agenda of focusing attacks on Ukrainian targets.

NotPetya, XData, BlackEnergy, & Sandworm are all connected

In a report released on Friday, ESET researcher Anton Cherepanov says his company discovered evidence that the group is behind many of the recent custom-made ransomware families that have targeted Ukraine,

Shared infrastructure and TTPS (Tactics, Techniques, and Procedures) reveal a connection between past TeleBots/BlackEnergy/Sandworm operations and three ransomware outbreaks such as Win32/Filecoder.NKH (March 2017),  XData (May 2017), and NotPetya (June 2017).

All three ransomware outbreaks, including the recent NotPetya attacks, Cherepanov says were specifically aimed at Ukrainian targets, consistent with the group's past targeting, appearing to be part of a larger campaign aimed at sabotaging Ukraine's business sector.

In a similar report also released on Friday, Kaspersky Lab also points out to the same connections between TeleBots/BlackEnergy/Sandworm past attacks and the NotPetya ransomware outbreak.

Nonetheless, unlike ESET, Kaspersky says its findings have a marking of "low confidence," and shouldn't be taken as definitive proof just yet.

Group linked to Russia in the past

In the past, various cyber-security firms have linked the TeleBots/BlackEnergy/Sandworm group to Russian cyber-espionage operations.

However, neither ESET or Kaspersky have gone on record to blame the recent NotPetya outbreak on Russia, only drawing links to a well-known APT — a term used to describe groups involved in nation-state hacking operations — hoping others would connect past clues and reach their own conclusions.

Other have already done so. In a Financial Times article, John Watters, head of global cyber intelligence operations for FireEye, said he's "reasonably confident" that Russia was behind the NotPetya outbreak.

Ukrainian officials have already gone on record and blamed the NotPetya incident on Russian security services. NATO didn't name Russia, but it said that a "state actor" was behind the attacks. Blaming Russia is easy, if we take the current political landscape into consideration.

Current evidence is not enough

Nonetheless, the evidence presented is not enough to make such bold remarks. Evidence shows thin lines to past "alleged" Russian operations, and nothing more. For example, Aleks Gostev, Chief Security Expert at Kaspersky's GReAT team, proposed a theory today on Twitter.

The group and the NotPetya campaign may have ties to past Russian state hacking campaigns, but that doesn't mean they're currently operating under orders from Russian officials.

Furthermore, this Twitter thread contains other wild theories showing various potentially valid scenarios for NotPetya attack attribution.

ESET and Kaspersky might have found some footsteps on the ground, but more solid evidence is needed before putting a smoking gun in Russia's hands for the whole NotPetya outbreak.

Related Articles:

The Week in Ransomware - October 12th 2018 - NotPetya, GandCrab, and More

GandCrab Devs Release Decryption Keys for Syrian Victims

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

Windows 10 Ransomware Protection Bypassed Using DLL Injection

New Reports Show Increased CyberThreats, User Risks Remain High