TeleBots
Description
(ESET) In the second half of 2016, ESET researchers identified a unique malicious toolset that was used in targeted cyberattacks against high-value targets in the Ukrainian financial sector. We believe that the main goal of attackers using these tools is cybersabotage. This blog post outlines the details about the campaign that we discovered.
We will refer to the gang behind the malware as TeleBots. However it’s important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group.
This group appears to be closely associated with, or evolved from, Sandworm Team, Iron Viking, Voodoo Bear.
Names
| Name | Name-Giver |
|---|---|
| TeleBots | ESET |
Country
Sponsor
State-sponsored, GRU
Motivation
- Sabotage and destruction
First Seen
2015
Observed Sectors
Observed Countries
Tools
- BadRabbit
- BlackEnergy
- CredRaptor
- Exaramel
- FakeTC
- Felixroot
- GreyEnergy
- KillDisk
- NotPetya
- TeleBot
- TeleDoor
- Living off the Land
Operations
- 2016-12: These recent ransomware KillDisk variants are not only able to target Windows systems, but also Linux machines, which is certainly something we don’t see every day. This may include not only Linux workstations but also servers, amplifying the damage potential. https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/
- 2017-03: In 2017, the TeleBots group didn’t stop their cyberattacks; in fact, they became more sophisticated. In the period between January and March 2017 the TeleBots attackers compromised a software company in Ukraine (not related to M.E. Doc), and, using VPN tunnels from there, gained access to the internal networks of several financial institutions. https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/
- 2017-05: XData ransomware making rounds amid global WannaCryptor scare A week after the global outbreak of WannaCryptor, also known as WannaCry, another ransomware variant has been making the rounds. Detected by ESET as Win32/Filecoder.AESNI.C, and also known as Xdata ransomware, the threat has been most prevalent in Ukraine, with 96% of the total detections between May 17th and May 22th, and peaking on Friday, May 19th. ESET has protected its customers against this threat since May 18th. https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare/
- 2017-06: NotPetya ransomware https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine/ ThaiCERT’s whitepaper: https://www.dropbox.com/s/hksfa7zzc17jgrq/Whitepaper Petya Ransomware.pdf?dl=0
- 2017-10: Bad Rabbit ransomware https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/ ThaiCERT’s whitepaper: https://www.dropbox.com/s/tb8qmb98082p9e7/Whitepaper BadRabbit Ransomware.pdf?dl=0
Counter Operations
- 2020-07: EU imposes the first ever sanctions against cyber-attacks https://www.consilium.europa.eu/en/press/press-releases/2020/07/30/eu-imposes-the-first-ever-sanctions-against-cyber-attacks/
- 2020-10: Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and
Information
- https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
- https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/
Other Information
Uuid
e84ec224-5c5f-4d2c-a3e6-0ee398ba1136
Last Card Change
2023-06-22