Contact Contact Us

GreyEnergy, Sofacy Share Tools and Techniques

Recent research has indicated possible linkages between two prolific advanced persistent threat groups that likely operate out of Russia. GreyEnergy, a group that targeted Industrial Control Systems mainly in Ukraine, is found to have used the same infrastructure as Zebrocy, which is a subset of Sofacy group (aka APT28, Fancy Bear, Sednit). GreyEnergy and Zebrocy not only used the same server to host phishing documents and malware C&C but they also targeted the same Kazakhstan organisation in June 2018. Researchers have previously suspected that GreyEnergy is operating in parallel with the TeleBots group, which is responsible for various destructive ransomware campaigns, including NotPetya. Meanwhile, Zebrocy activities have been detected since 2015 and largely targeted government entities in Middle East, Europe and Asia.

[1] GreyEnergy’s Overlap with Zebrocy
[2] GreyEnergy’s Overlap with Zebrocy (PDF)

Ensign InfoSecurity Singapore
30A Kallang Place
Singapore 339213

Tel: +65 6788 2882
Fax: +65 6788 3883