Threat Intelligence
6/12/2017
06:36 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

First Malware Designed Solely for Electric Grids Caused 2016 Ukraine Outage

Attackers used CrashOverride/Industroyer to cause a partial power outage in Kiev, Ukraine, but it can be used anywhere, say researchers at Dragos and ESET.

Researchers from cybersecurity firms Dragos and ESET this week sounded the alarm on what they described as the first ever malware designed specifically to attack the electric grid at scale.

A threat group calling itself ELECTRUM used the malware - dubbed CrashOverride and Industroyer by the two vendors respectively - in an attack against Ukraine's power grid in December 2016 that resulted in parts of Kiev losing power for about an hour.

The malware does not target any particular vendor's technology nor does it leverage any specific vulnerability or vulnerabilities. Instead, it is designed to map, target and attack grid operations by taking advantage of particular communication protocols used by industrial control systems. The malware uses the protocols in the manner that they were designed to be used. Because of this, the usual defensive measures such as patching, anti-malware tools, air-gapping and perimeter defense tools are useless at stopping the threat.

"The purpose for the malware is clear; cybersabotage, without a doubt," says Robert Lipovsky senior malware researcher at ESET.

What's unclear, however, is what exactly the threat actors were trying to accomplish with their attacks in Ukraine, he says. Considering the sophistication of the malware and the amount of effort that no doubt went into developing it, the attack itself was relatively low impact and was likely just a test run, he says. "The potential impact of this threat is much greater, as the communication protocols and targeted hardware are used in critical infrastructure worldwide."

The fact that CrashOverride/Industroyer is not vendor-, configuration- or vulnerability-specific also makes it trivially easy for threat actors to repurpose the malware and use it against pretty much any electric grid around the world, including the US. "The most significant aspect about CrashOverride is that it is vendor-independent," says Sergio Caltagirone, director of threat intelligence at Dragos. Threat actors can use CrashOveride to operate against grids around the world with little modification. "We are not saying everyone is going to get attacked. But this is a significant advancement in capabilities to attack power grids," Caltagirone says.

In two separate technical papers, Dragos and ESET described the malware as a framework with four modules, or payload components, that are designed to let attackers gain remote control of circuit breakers and switches within an electricity distribution substation. The payloads are designed to work in stages using specific ICS protocols to first map a target network, and then to figure out and issue commands for controlling ICS devices on the network.

[Robert M. Lee, CEO and Founder of Dragos, will be presenting a briefing titled "CRASHOVERRIDE: Zero Things Cool About a Threat Group Targeting the Power Grid" next month at Black Hat USA in Las Vegas.]

Attackers can use CrashOverride/Industroyer to open circuit breakers in a substation and force the breakers to remain open even if grid operators try to close them. This results in a substation becoming de-energized and forces operators to switch to manual operations.

Attackers can also use the malware to continuously toggle circuit breakers on and off until automated protective measures kick in and "island" off a substation from the rest of the grid to ensure stability of operations. "We believe the worst case is an islanding event where the transmission or distribution site walls itself off from the rest of the grid, so you would lose power," in that section of the grid, Caltagirone says.

The likely duration of a blackout caused by an islanding event would be highly dependent on the architecture of the specific site, he says. In the December 2016 attack in Ukraine, grid operators were able to restore power to the affected areas in about 75 minutes by switching over to manual operations. In the US where substation operations are more automated, such manual overrides could be harder to accomplish and an outage caused by CrashOverride could potentially take up to two days to fix, Caltagirone says.

CrashOverride/Industroyer is the fourth publicly known malware designed specifically to target industrial control systems and networks. The other three are Stuxnet, Havex, and BlackEnergy. Not too surprisingly, the newly discovered malware incorporates elements and tactics from its predecessors. But it is also very different from them.

Stuxnet for instance was custom malware designed specifically to destroy centrifuges being used to enrich Uranium at an Iranian facility in Natanz. It used four separate 0-day flaws to execute its mission. BlackEnergy 2 and Havex were both designed primarily to harvest information surreptitiously from ICS systems and networks, says Caltagirone.

CrashOverride/Industroyer's only mission on the other hand is to sabotage and disrupt grid operations.

Where the new malware is comparable to Stuxnet is in its ability to communicate directly with industrial hardware. In that regard, Industroyer and Stuxnet are the only two pieces of malware ever known to have this ability, adds Lipovsky.

"This malware is definitely the work of extremely dedicated, resourceful, and capable attackers with deep knowledge of the architecture and systems in power grid substations," Lipovsky says. "That is probably the most alarming aspect of the attack, especially considering that the hardware and communication protocols are not isolated to Ukraine but used in critical infrastructure worldwide."

Some reports have suggested that ELECTRUM, the group that carried out the Ukraine attacks, is affiliated with Russia. But both Lipovsky and Caltagirone say that there's nothing conclusive to indicate that connection for the moment. ELECTRUM does however appear to have direct ties to the Sandworm Team, a cyberespionage group out of Russia which hit multiple U.S. companies back in October 2014.

"We have no indication of the attacker's identity [but] they are certainly not typical cybercriminals or malware writers," Lipovsky said.

Related content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/13/2017 | 3:37:47 PM
Infrastructure Exploits Underrated?
Power plant and grid exploits are getting more notice lately and this is an important step in opening the eyes of both consumers and professionals to the underrated category of infrastructure vulnerabilities.  Whether we are talking about massively automated manufacturing (cars, electronics, etc), transportation (trains, planes, etc) or power (nuclear, electric, etc), infrastructure both networked and siloed is vulnerable to huge-impact hacks that can affect entire states, nations and industries.

The average person is definitely aware (even if on a subconscious level) the impact on infrastructure something as singular as a traffic accident can have, or a train collision.  The amount of interdependent systems and parts that are affected freeze up more than just traffic around an accident.  We are all resources to some extent for other systems, and cargo trucks held up by traffic are causing other systems again delays, and so on.

Now, imagine your airport shutting down entirely due to an electronic intrusion of the air traffic control systems.  Or your state power grids completely shut off.  Imagine nuclear plants pushed to meltdown, or missile silos engaged outside normal controls.  For all the information security industry puts into protecting banks (yes, those too can be brought to a complete shutdown), we need to be sure equal if not superior effort and resources are being assigned to infrastructure.

Understanding the level of intertwined systems that keep society moving, we would see a devastating cascade effect of descent into chaos should any number of U.S. infrastructure towers should crumble.  Incidents like those in the Ukraine are a huge red flag to us in the U.S. to not slumber on this.  We must find more funding, more resources and move quickly to ensure the protection of our infrastructure, both high- and low-tech.

 

 
3 Ways to Retain Security Operations Staff
Oliver Rochford, Vice President of Security Evangelism at DFLabs,  11/20/2017
A Call for Greater Regulation of Digital Currencies
Kelly Sheridan, Associate Editor, Dark Reading,  11/21/2017
New OWASP Top 10 List Includes Three New Web Vulns
Jai Vijayan, Freelance writer,  11/21/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.