Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

06:36 PM
Connect Directly

First Malware Designed Solely for Electric Grids Caused 2016 Ukraine Outage

Attackers used CrashOverride/Industroyer to cause a partial power outage in Kiev, Ukraine, but it can be used anywhere, say researchers at Dragos and ESET.

Researchers from cybersecurity firms Dragos and ESET this week sounded the alarm on what they described as the first ever malware designed specifically to attack the electric grid at scale.

A threat group calling itself ELECTRUM used the malware - dubbed CrashOverride and Industroyer by the two vendors respectively - in an attack against Ukraine's power grid in December 2016 that resulted in parts of Kiev losing power for about an hour.

The malware does not target any particular vendor's technology nor does it leverage any specific vulnerability or vulnerabilities. Instead, it is designed to map, target and attack grid operations by taking advantage of particular communication protocols used by industrial control systems. The malware uses the protocols in the manner that they were designed to be used. Because of this, the usual defensive measures such as patching, anti-malware tools, air-gapping and perimeter defense tools are useless at stopping the threat.

"The purpose for the malware is clear; cybersabotage, without a doubt," says Robert Lipovsky senior malware researcher at ESET.

What's unclear, however, is what exactly the threat actors were trying to accomplish with their attacks in Ukraine, he says. Considering the sophistication of the malware and the amount of effort that no doubt went into developing it, the attack itself was relatively low impact and was likely just a test run, he says. "The potential impact of this threat is much greater, as the communication protocols and targeted hardware are used in critical infrastructure worldwide."

The fact that CrashOverride/Industroyer is not vendor-, configuration- or vulnerability-specific also makes it trivially easy for threat actors to repurpose the malware and use it against pretty much any electric grid around the world, including the US. "The most significant aspect about CrashOverride is that it is vendor-independent," says Sergio Caltagirone, director of threat intelligence at Dragos. Threat actors can use CrashOveride to operate against grids around the world with little modification. "We are not saying everyone is going to get attacked. But this is a significant advancement in capabilities to attack power grids," Caltagirone says.

In two separate technical papers, Dragos and ESET described the malware as a framework with four modules, or payload components, that are designed to let attackers gain remote control of circuit breakers and switches within an electricity distribution substation. The payloads are designed to work in stages using specific ICS protocols to first map a target network, and then to figure out and issue commands for controlling ICS devices on the network.

[Robert M. Lee, CEO and Founder of Dragos, will be presenting a briefing titled "CRASHOVERRIDE: Zero Things Cool About a Threat Group Targeting the Power Grid" next month at Black Hat USA in Las Vegas.]

Attackers can use CrashOverride/Industroyer to open circuit breakers in a substation and force the breakers to remain open even if grid operators try to close them. This results in a substation becoming de-energized and forces operators to switch to manual operations.

Attackers can also use the malware to continuously toggle circuit breakers on and off until automated protective measures kick in and "island" off a substation from the rest of the grid to ensure stability of operations. "We believe the worst case is an islanding event where the transmission or distribution site walls itself off from the rest of the grid, so you would lose power," in that section of the grid, Caltagirone says.

The likely duration of a blackout caused by an islanding event would be highly dependent on the architecture of the specific site, he says. In the December 2016 attack in Ukraine, grid operators were able to restore power to the affected areas in about 75 minutes by switching over to manual operations. In the US where substation operations are more automated, such manual overrides could be harder to accomplish and an outage caused by CrashOverride could potentially take up to two days to fix, Caltagirone says.

CrashOverride/Industroyer is the fourth publicly known malware designed specifically to target industrial control systems and networks. The other three are Stuxnet, Havex, and BlackEnergy. Not too surprisingly, the newly discovered malware incorporates elements and tactics from its predecessors. But it is also very different from them.

Stuxnet for instance was custom malware designed specifically to destroy centrifuges being used to enrich Uranium at an Iranian facility in Natanz. It used four separate 0-day flaws to execute its mission. BlackEnergy 2 and Havex were both designed primarily to harvest information surreptitiously from ICS systems and networks, says Caltagirone.

CrashOverride/Industroyer's only mission on the other hand is to sabotage and disrupt grid operations.

Where the new malware is comparable to Stuxnet is in its ability to communicate directly with industrial hardware. In that regard, Industroyer and Stuxnet are the only two pieces of malware ever known to have this ability, adds Lipovsky.

"This malware is definitely the work of extremely dedicated, resourceful, and capable attackers with deep knowledge of the architecture and systems in power grid substations," Lipovsky says. "That is probably the most alarming aspect of the attack, especially considering that the hardware and communication protocols are not isolated to Ukraine but used in critical infrastructure worldwide."

Some reports have suggested that ELECTRUM, the group that carried out the Ukraine attacks, is affiliated with Russia. But both Lipovsky and Caltagirone say that there's nothing conclusive to indicate that connection for the moment. ELECTRUM does however appear to have direct ties to the Sandworm Team, a cyberespionage group out of Russia which hit multiple U.S. companies back in October 2014.

"We have no indication of the attacker's identity [but] they are certainly not typical cybercriminals or malware writers," Lipovsky said.

Related content:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/13/2017 | 3:37:47 PM
Infrastructure Exploits Underrated?
Power plant and grid exploits are getting more notice lately and this is an important step in opening the eyes of both consumers and professionals to the underrated category of infrastructure vulnerabilities.  Whether we are talking about massively automated manufacturing (cars, electronics, etc), transportation (trains, planes, etc) or power (nuclear, electric, etc), infrastructure both networked and siloed is vulnerable to huge-impact hacks that can affect entire states, nations and industries.

The average person is definitely aware (even if on a subconscious level) the impact on infrastructure something as singular as a traffic accident can have, or a train collision.  The amount of interdependent systems and parts that are affected freeze up more than just traffic around an accident.  We are all resources to some extent for other systems, and cargo trucks held up by traffic are causing other systems again delays, and so on.

Now, imagine your airport shutting down entirely due to an electronic intrusion of the air traffic control systems.  Or your state power grids completely shut off.  Imagine nuclear plants pushed to meltdown, or missile silos engaged outside normal controls.  For all the information security industry puts into protecting banks (yes, those too can be brought to a complete shutdown), we need to be sure equal if not superior effort and resources are being assigned to infrastructure.

Understanding the level of intertwined systems that keep society moving, we would see a devastating cascade effect of descent into chaos should any number of U.S. infrastructure towers should crumble.  Incidents like those in the Ukraine are a huge red flag to us in the U.S. to not slumber on this.  We must find more funding, more resources and move quickly to ensure the protection of our infrastructure, both high- and low-tech.


US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-09-21
On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the...
PUBLISHED: 2019-09-21
On Supermicro X10 and X11 products, a client's access privileges may be transferred to a different client that later has the same socket file descriptor number. In opportunistic circumstances, an attacker can simply connect to the virtual media service, and then connect virtual USB devices to the se...
PUBLISHED: 2019-09-20
The html-pdf package 2.2.0 for Node.js has an arbitrary file read vulnerability via an HTML file that uses XMLHttpRequest to access a file:/// URL.
PUBLISHED: 2019-09-20
Forcepoint VPN Client for Windows versions lower than 6.6.1 have an unquoted search path vulnerability. This enables local privilege escalation to SYSTEM user. By default, only local administrators can write executables to the vulnerable directories. Forcepoint thanks Peleg Hadar of SafeBreach Labs ...
PUBLISHED: 2019-09-20
F5 BIG-IP 15.0.0, 14.1.0-, 14.0.0-, 13.0.0-, 12.1.0-, 11.6.0-11.6.4, and 11.5.1-11.5.9 and Enterprise Manager 3.1.1 may expose sensitive information and allow the system configuration to be modified when using non-default ConfigSync settings.