The infamous TeleBots threat actor group has been found to be linked with the Industroyer malware that was used against the Ukrainian power grids in 2016. The conclusion was drawn by researchers after comparing several technical indicators such as code similarities, shared command, and control infrastructure and malware execution process.
Researchers from ESET said that they have laid out the first concrete evidence based on their discovery in April. They observed a pattern of activities of backdoor malware used by the TeleBots hacker group in order to find a connection between the Industroyer malware and TeleBots.
In April 2018, they had detected a new activity of TeleBots - trying to set up a new backdoor named Win32/Exaramel. Exaramel is an improvised version of the Industroyer backdoor malware used in the 2016 power outage attack in Kyiv.
“The main difference between the backdoor from the Industroyer toolset and this new TeleBots backdoor is that the latter uses XML format for communication and configuration instead of a custom binary format,” explained Anton Cherepanov and Robert Lipovsky in a research paper.
The discovery of Exaramel proves that the TeleBots hacking group is still active and that they have upgraded themselves with improvised tools and tactics.
TeleBots has also been linked to the disk-wiping malware NotPetya ransomware and BlackEnergy malware toolkit. The researchers explained that they discovered a series of activities of the group between 2015 and 2017 which made the evidence fool-proof.
“ESET researchers have been following the activity of the APT group utilizing BlackEnergy both before and after this milestone event. After the 2015 blackout, the group seemed to have ceased actively using BlackEnergy and evolved into what we call TeleBots,” cited Cherepanov and Lipovsky on cyberespionage against Ukrainian power industry in 2015.
Highlighting the group’s involvement in the NotPetya ransomware attack, the researchers said, “In June 2017, when many large corporations worldwide were hit by the Diskcoder.C ransomware (aka Petya and NotPetya) – most probably as unintended collateral damage – we discovered that the outbreak started spreading from companies afflicted with a TeleBots backdoor, resulting from the compromise of the popular financial software M.E.Doc.”