Sign in with Microsoft

ESET, a computer security firm in the Slovak Republic, has uncovered a new secret malware infection. It has dubbed this GreyEnergy, after the December 2015 BlackEnergy attacks in Eastern Europe.

Like BlackEnergy, Industroyer and Telebots, the malefactors seem to have focused GreyEnergy on energy and transportation infrastructure in Eastern Europe. That includes Poland, but mostly Ukraine. ESET declined to offer an opinion on the source of GreyEnergy, but I suppose we can draw our own conclusions, given the targeting.

ESET chose the name GreyEnergy because of its surreptitious nature. BlackEnergy, by contrast, was a boots-and-all attack, closing down some Ukrainian energy infrastructure for several hours, affecting hundreds of thousands of people. GreyEnergy is a stealth attack, with the malware being infiltrated into Command and Control servers using TOR relays.

ESET’s monitoring headquarters; TOP: ESET’s mascot robot

TOR is The Onion Router, the secret system used by those seeking anonymity on the Internet, for both good reasons and ill.

GreyEnergy’s only destructive action so far appears to have been the display of the Moonraker logo used by the earlier Petya malware. It has used stolen security certificates to sneak in its modules. The GreyEnergy developers stole the certificates from Advantech, an industrial manufacturer based in Taiwan. I suppose you get your illicit certificates wherever you can find them.

GreyEnergy is remarkably clever, in a theme ESET repeatedly emphasised at its briefing. Once GreyEnergy had made its way in, it would infect connected computers. Then the computers would add a re-infection agent to the servers to make sure they were again infected, were they to be cleaned.

Will GreyEnergy attack your computer?

Does any of this matter to you? So what if far-away bad guys are trying sneaky attacks on far-away big companies?

Well, there are several ways that could affect us. First, State actors could try these kinds of surreptitious attacks Australian infrastructure. Second, the software is getting smarter, with modern expert technology being built into them, making them more dangerous. Third, the ideas and techniques used in any malware tend to spread to others making malware for their own purposes.

A technique developed to close down a Ukrainian power plant could end up being used to insert ransomware into your computer. In any case, the borders between industrial malware and smaller-scale criminal attacks are blurry. ESET says that the Telebots malware was principally a “kill disk” attack, disguised as ransomware. Those who believed its demands would have paid 222 Bitcoin (worth about $US1.4 million at today’s Bitcoin rates) and gotten back precisely nothing.


Have you heard of ESET? Long-time readers will have. Seen here for example.

In Australia, one tends to think of other names when it comes to anti-virus software. But ESET has been in the business since 1987. That was when the Slovak Republic was still part of Czechoslovakia, and still under Soviet domination. It was incorporated in 1992 when such things became legal after the fall of the iron curtain. It remains a privately held company.

Since then ESET has grown to global proportions, with research and development centres from San Diego to Buenos Aires to Singapore, although its main research facility remains in Bratislava, capital of the Slovak Republic.

It now has 1,600 employees and a hundred million knowing customers. By “knowing”, I mean people and businesses who have installed ESET security packages on their computers. But there are another half a billion unknowing users. ESET says that it was chosen by Google to provide protective functions in the Chrome browser. That’s to provide security against unsafe websites and other dangers. Of course, for non-ESET users, that protection is provided only when the user is within Chrome.

In Bratislava, ESET has a Houston-like monitoring centre, with large screens on the walls showing possible infections across Europe and across the world. It’s necessarily an incomplete picture since the information it is installed ESET software which provides it, and it requires an opt-in. Still, having been in the business for so long, ESET has been able to follow the development of malware attacks as they’ve developed across the decades.

UEFI attacks

Most recently, it has incorporated a UEFI scanner into its virus protection products. UEFI stands for Universal Extensible Firmware Interface. All computers have a BIOS – Basic Input/Output System. The interface to those was generally proprietary until around 2000. Then Intel started the process of standardisation by releasing the Extensible Firmware Interface. By 2005 a coalition of computer makers had developed a “Universal” version of this.