Researchers at Dragos Security and ESET have released in-depth analyses of the cyber attack that caused a massive blackout in Kiev, Ukraine on December 17 and 18, 2016.
Dragos identifies the malware as CrashOverride, while ESET calls it Industroyer.
ESET senior malware researcher Anton Cherepanov wrote in a blog post that the malware is particularly dangerous because it’s capable of directly controlling electricity substation switches and circuit breakers. “To do so, it uses industrial communication protocols used worldwide in power supply infrastructure, transportation control systems, and other critical infrastructure systems (such as water and gas),” he wrote.
The potential impact of an Industroyer attack, Cherepanov noted, could range from just turning off power to causing serious damage to equipment. “The severity may also vary from one substation to another, as well,” he wrote.
“Needless to say, disruption of such systems can directly or indirectly affect the functioning of vital services,” Cherepanov added.
Leveraging Outdated Protocols
The core component of the malware is a backdoor that installs and controls four payload components. “Generally, the payloads work in stages whose goals are mapping the network, and then figuring out and issuing commands that will work with the specific industrial control devices,” Cherepanov wrote. “Industroyer’s payloads show the authors’ deep knowledge and understanding of industrial control systems.”
The malware leverages protocols designed decades ago, when industrial systems were isolated from the outside world and weren’t designed with security in mind. “That means that the attackers didn’t need to be looking for protocol vulnerabilities; all they needed was to teach the malware ‘to speak’ those protocols,” Cherepanov wrote.
In Dragos’ blog post on the malware, company CEO and founder Robert M. Lee added, “Dragos can also confirm that we are tracking the adversary group behind the attack as ELECTRUM, and can assess with high confidence the group has direct ties to the Sandworm Team which targeted infrastructure companies in the United States and Europe in 2014 and Ukraine electric utilities in 2015.”
The Dragos report [PDF] states that many elements of the CrashOverride attack in Ukraine “appear to have been more of a proof of concept than what was fully capable in the malware.”
An Advancement in Capability
CrashOverride, according to Dragos, “marks an advancement in capability by adversaries who intend to disrupt operations and poses a challenge for defenders who look to patching systems as a primary defense, using anti-malware tools to spot specific samples, and relying upon a strong perimeter or air-gapped network as a silver-bullet solution.”
“Adversaries are getting smarter, they are growing in their ability to learn industrial processes and codify and scale that knowledge, and defenders must also adapt,” the report notes.
Tenable federal technical director John Chirhart told eSecurity Planet by email that malware like this is the new normal for today’s fast-changing security environment. “There’s no way to be strategic about your security if you’re always reacting to the threat of the day,” he said.
“Single use ‘best of breed’ security products are no longer enough,” Chirhart added. “CISOs need a unified view from a single platform that can draw on active, passive and agent scanning to see everything from containers to MRI machines. Stop chasing the latest headline-breaking threat and instead implement a strategic and agile security program to proactively manage cyber risk for the modern enterprise.”