Researchers at cybersecurity firm ESET reckon they’ve discovered links that tie one group of cybercriminals to the Industroyer and NotPetya cyberattacks.

That group is TeleBots, but how ESET discovered the link would make for an enthralling television series.

This is going to be a long one so get your coffee and lets dive into it.

Back in 2015 a malware toolkit known as BlackEnergy was used to conduct the first malware-enabled blackout in Ukraine.

“After the 2015 blackout, the group seemed to have ceased actively using BlackEnergy, and evolved into what we call TeleBots,” reads the ESET report.

The researchers report that they observed and documented ties between BlackEnergy attacks and attacks on the Ukrainian financial sector by the TeleBots group.

By now speculation was rife that the BlackEnergy/TeleBots was behind the Industroyer attack of 2016 that caused a blackout in Kiev, Ukraine for an hour. Unfortunately there was no concrete evidence.

Then in 2017 the Petya/NotPetya malware tore through large corporations and ESET noticed that the outbreak spread from companies that had been afflicted with a TeleBots backdoor through a compromise of the M.E.Doc software.

Fast forward to April of this year ESET discovered Exaramel, a new backdoor developed by TeleBots that the cybersecurity firm believes is an improved version of Industroyer.

“The strong code similarity between the Win32/Exaramel backdoor and the Industroyer main backdoor is the first publicly presented evidence linking Industroyer to TeleBots, and hence to NotPetya and BlackEnergy. While the possibility of false flags – or a coincidental code sharing by another threat actor – should always be kept in mind when attempting attribution, in this case we consider it unlikely,” writes ESET.

The firm has already notified Ukrainian authorities and together a potential attack has already been averted.

If you find the tracking of cybercriminals and linking of attacks at all interesting we urge you to check out the full report from ESET which dives into the code and execution similarities between the malware variants mentioned above.

 

[Image – CC 0 Pixabay]