By Gregory Hale
There is a piece of malware believed to have been used in the December Ukraine substation attack that targeted power grids, researchers said.
The malware ended up discovered by ESET, which called it Industroyer. The company also shared some data with ICS cybersecurity company Dragos, which tracks it as CRASHOVERRIDE and the attacker that uses it as ELECTRUM.
Industroyer is fourth such threat known to the ICS industry. The other ICS-tailored malware families are Stuxnet, used in the 2010 attack targeting Iranian nuclear facilities, BlackEnergy, used in the December 2015 Ukraine power grid attacks, and Havex, used mainly against organizations in Europe.
While they could not confirm the malware was the direct cause of the 2016 power outages in Ukraine’s Kiev region, ESET and Dragos remain confident this is the malware used in the attack.
“The implications of the Crash Override or Industroyer malware are significant,” said Andrea Carcano, co-founder and chief product officer for Nozomi Networks. “Unlike Stuxnet, which was designed to attack a particular uranium enrichment plant, this malware is broad-based and could affect power grids in many countries. We recommend that electric utilities monitor and improve their cyber resiliency programs, including implement real-time ICS cybersecurity and visibility solutions.”
Dragos said the ELECTRUM actor has direct ties to the BlackEnergy (Sandworm) group, and ESET said while there are no code similarities between the malware used in the 2015 and 2016 Ukraine attacks, some components are similar in concept.
Industroyer has been described as a sophisticated modular malware that has several components: A backdoor, a launcher, a data wiper, various tools, and at least four payloads.
These payloads are the most interesting component as they allow the malware’s operators to control electric circuit breakers.
In one theoretical attack scenario described by Dragos in its report, malicious actors use the malware to open closed breakers in an infinite loop, causing the substation to de-energize.
By executing commands in an infinite loop, the attackers ensure that operators of the targeted facility cannot close the breakers from the HMI. This can require operators to interrupt communications with the substation and manually address the issue, which could result in an outage that lasts for a few hours.
In another scenario, the attackers initiate an infinite loop where breakers continually open and close, which can trigger protections and cause the substation to go offline. Experts believe launching such an attack in a coordinated fashion against multiple sites could result in outages that last for a few days.
The malware’s main backdoor component allows attackers to execute various commands on the infected system. It communicates with its command and control (C&C) servers over the Tor network and it can be programmed to be active only at specified times, which are likely mechanisms for avoiding detection.
This component also deploys a secondary backdoor disguised as a Trojanized version of the Windows Notepad application. The main backdoor is also responsible for installing the launcher component, which initiates the wiper and the payloads.
The wiper is apparently designed for the final stages of the attack to help the attackers hide their tracks and make it more difficult to restore affected systems. This includes clearing registry keys, and overwriting ICS configuration and Windows files.
The payloads, which allow attackers to control circuit breakers, leverage industrial communication protocols. This suggests that at least some of the malware’s developers have a deep understanding of power grid operations and industrial network communications.
“After years of working closely with global power generators, we have seen that network communications across grids are usually very stable and that once baselined, it’s possible to detect anomalies,” Carcano said. “Unusual messages using regular power system communication protocols can be identified and flagged, and action can be taken on them before an outage occurs.”
“There seems an undercurrent of surprise or reactionary concern when we hear details on how bad actors are advancing sophisticated means to attack critical infrastructure,” said David Zahn, general manager of ICS Cybersecurity at PAS. “In power, we are in denial that a similar attack could happen in the U.S. We also get mired in misconceptions that we are well prepared because of regulation, or (the idea that) squirrels — yes squirrels — are more likely to bring down power than a hacker. The problem is that nation states have a plan, squirrels do not.
“The latest news about Crash Override is one more wakeup call that we need to become better at the cybersecurity basics which most industrial companies struggle doing today — know what ICS cyber assets you have (from smart field instruments to controllers to workstations), identify and managing vulnerabilities, detect when an unauthorized change occurs, and ensure backups are available.
“It’s easy to hit the snooze button and ignore these kinds of wake-up calls, especially when attacks happen in other countries and regulatory compliance receives such a strong focus within power,” Zahn said. “This is not a path we as an industry can sustain. Flipping the script on prioritizing good cybersecurity over good compliance is a step down a better path.”