Threat Intelligence

06:36 PM
Connect Directly

First Malware Designed Solely for Electric Grids Caused 2016 Ukraine Outage

Attackers used CrashOverride/Industroyer to cause a partial power outage in Kiev, Ukraine, but it can be used anywhere, say researchers at Dragos and ESET.

Researchers from cybersecurity firms Dragos and ESET this week sounded the alarm on what they described as the first ever malware designed specifically to attack the electric grid at scale.

A threat group calling itself ELECTRUM used the malware - dubbed CrashOverride and Industroyer by the two vendors respectively - in an attack against Ukraine's power grid in December 2016 that resulted in parts of Kiev losing power for about an hour.

The malware does not target any particular vendor's technology nor does it leverage any specific vulnerability or vulnerabilities. Instead, it is designed to map, target and attack grid operations by taking advantage of particular communication protocols used by industrial control systems. The malware uses the protocols in the manner that they were designed to be used. Because of this, the usual defensive measures such as patching, anti-malware tools, air-gapping and perimeter defense tools are useless at stopping the threat.

"The purpose for the malware is clear; cybersabotage, without a doubt," says Robert Lipovsky senior malware researcher at ESET.

What's unclear, however, is what exactly the threat actors were trying to accomplish with their attacks in Ukraine, he says. Considering the sophistication of the malware and the amount of effort that no doubt went into developing it, the attack itself was relatively low impact and was likely just a test run, he says. "The potential impact of this threat is much greater, as the communication protocols and targeted hardware are used in critical infrastructure worldwide."

The fact that CrashOverride/Industroyer is not vendor-, configuration- or vulnerability-specific also makes it trivially easy for threat actors to repurpose the malware and use it against pretty much any electric grid around the world, including the US. "The most significant aspect about CrashOverride is that it is vendor-independent," says Sergio Caltagirone, director of threat intelligence at Dragos. Threat actors can use CrashOveride to operate against grids around the world with little modification. "We are not saying everyone is going to get attacked. But this is a significant advancement in capabilities to attack power grids," Caltagirone says.

In two separate technical papers, Dragos and ESET described the malware as a framework with four modules, or payload components, that are designed to let attackers gain remote control of circuit breakers and switches within an electricity distribution substation. The payloads are designed to work in stages using specific ICS protocols to first map a target network, and then to figure out and issue commands for controlling ICS devices on the network.

[Robert M. Lee, CEO and Founder of Dragos, will be presenting a briefing titled "CRASHOVERRIDE: Zero Things Cool About a Threat Group Targeting the Power Grid" next month at Black Hat USA in Las Vegas.]

Attackers can use CrashOverride/Industroyer to open circuit breakers in a substation and force the breakers to remain open even if grid operators try to close them. This results in a substation becoming de-energized and forces operators to switch to manual operations.

Attackers can also use the malware to continuously toggle circuit breakers on and off until automated protective measures kick in and "island" off a substation from the rest of the grid to ensure stability of operations. "We believe the worst case is an islanding event where the transmission or distribution site walls itself off from the rest of the grid, so you would lose power," in that section of the grid, Caltagirone says.

The likely duration of a blackout caused by an islanding event would be highly dependent on the architecture of the specific site, he says. In the December 2016 attack in Ukraine, grid operators were able to restore power to the affected areas in about 75 minutes by switching over to manual operations. In the US where substation operations are more automated, such manual overrides could be harder to accomplish and an outage caused by CrashOverride could potentially take up to two days to fix, Caltagirone says.

CrashOverride/Industroyer is the fourth publicly known malware designed specifically to target industrial control systems and networks. The other three are Stuxnet, Havex, and BlackEnergy. Not too surprisingly, the newly discovered malware incorporates elements and tactics from its predecessors. But it is also very different from them.

Stuxnet for instance was custom malware designed specifically to destroy centrifuges being used to enrich Uranium at an Iranian facility in Natanz. It used four separate 0-day flaws to execute its mission. BlackEnergy 2 and Havex were both designed primarily to harvest information surreptitiously from ICS systems and networks, says Caltagirone.

CrashOverride/Industroyer's only mission on the other hand is to sabotage and disrupt grid operations.

Where the new malware is comparable to Stuxnet is in its ability to communicate directly with industrial hardware. In that regard, Industroyer and Stuxnet are the only two pieces of malware ever known to have this ability, adds Lipovsky.

"This malware is definitely the work of extremely dedicated, resourceful, and capable attackers with deep knowledge of the architecture and systems in power grid substations," Lipovsky says. "That is probably the most alarming aspect of the attack, especially considering that the hardware and communication protocols are not isolated to Ukraine but used in critical infrastructure worldwide."

Some reports have suggested that ELECTRUM, the group that carried out the Ukraine attacks, is affiliated with Russia. But both Lipovsky and Caltagirone say that there's nothing conclusive to indicate that connection for the moment. ELECTRUM does however appear to have direct ties to the Sandworm Team, a cyberespionage group out of Russia which hit multiple U.S. companies back in October 2014.

"We have no indication of the attacker's identity [but] they are certainly not typical cybercriminals or malware writers," Lipovsky said.

Related content:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/13/2017 | 3:37:47 PM
Infrastructure Exploits Underrated?
Power plant and grid exploits are getting more notice lately and this is an important step in opening the eyes of both consumers and professionals to the underrated category of infrastructure vulnerabilities.  Whether we are talking about massively automated manufacturing (cars, electronics, etc), transportation (trains, planes, etc) or power (nuclear, electric, etc), infrastructure both networked and siloed is vulnerable to huge-impact hacks that can affect entire states, nations and industries.

The average person is definitely aware (even if on a subconscious level) the impact on infrastructure something as singular as a traffic accident can have, or a train collision.  The amount of interdependent systems and parts that are affected freeze up more than just traffic around an accident.  We are all resources to some extent for other systems, and cargo trucks held up by traffic are causing other systems again delays, and so on.

Now, imagine your airport shutting down entirely due to an electronic intrusion of the air traffic control systems.  Or your state power grids completely shut off.  Imagine nuclear plants pushed to meltdown, or missile silos engaged outside normal controls.  For all the information security industry puts into protecting banks (yes, those too can be brought to a complete shutdown), we need to be sure equal if not superior effort and resources are being assigned to infrastructure.

Understanding the level of intertwined systems that keep society moving, we would see a devastating cascade effect of descent into chaos should any number of U.S. infrastructure towers should crumble.  Incidents like those in the Ukraine are a huge red flag to us in the U.S. to not slumber on this.  We must find more funding, more resources and move quickly to ensure the protection of our infrastructure, both high- and low-tech.


12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
Most Malware Arrives Via Email
Dark Reading Staff 10/11/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-10-15
Teltonika RUT9XX routers with firmware before 00.04.233 provide a root terminal on a serial interface without proper access control. This allows attackers with physical access to execute arbitrary commands with root privileges.
PUBLISHED: 2018-10-15
NoMachine before 5.3.27 and 6.x before 6.3.6 allows attackers to gain privileges via a Trojan horse wintab32.dll file located in the same directory as a .nxs file, as demonstrated by a scenario where the .nxs file and the DLL are in the current working directory, and the Trojan horse code is execute...
PUBLISHED: 2018-10-15
Stored XSS has been discovered in version 1.0.12 of the LUYA CMS software via /admin/api-cms-nav/create-page.
PUBLISHED: 2018-10-15
In the 2.4 version of Camaleon CMS, Stored XSS has been discovered. The profile image in the User settings section can be run in the update / upload area via /admin/media/upload?actions=false.
PUBLISHED: 2018-10-15
Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges.