First Malware Designed Solely for Electric Grids Caused 2016 Ukraine Outage
Attackers used CrashOverride/Industroyer to cause a partial power outage in Kiev, Ukraine, but it can be used anywhere, say researchers at Dragos and ESET.
June 12, 2017
Researchers from cybersecurity firms Dragos and ESET this week sounded the alarm on what they described as the first ever malware designed specifically to attack the electric grid at scale.
A threat group calling itself ELECTRUM used the malware - dubbed CrashOverride and Industroyer by the two vendors respectively - in an attack against Ukraine's power grid in December 2016 that resulted in parts of Kiev losing power for about an hour.
The malware does not target any particular vendor's technology nor does it leverage any specific vulnerability or vulnerabilities. Instead, it is designed to map, target and attack grid operations by taking advantage of particular communication protocols used by industrial control systems. The malware uses the protocols in the manner that they were designed to be used. Because of this, the usual defensive measures such as patching, anti-malware tools, air-gapping and perimeter defense tools are useless at stopping the threat.
"The purpose for the malware is clear; cybersabotage, without a doubt," says Robert Lipovsky senior malware researcher at ESET.
What's unclear, however, is what exactly the threat actors were trying to accomplish with their attacks in Ukraine, he says. Considering the sophistication of the malware and the amount of effort that no doubt went into developing it, the attack itself was relatively low impact and was likely just a test run, he says. "The potential impact of this threat is much greater, as the communication protocols and targeted hardware are used in critical infrastructure worldwide."
The fact that CrashOverride/Industroyer is not vendor-, configuration- or vulnerability-specific also makes it trivially easy for threat actors to repurpose the malware and use it against pretty much any electric grid around the world, including the US. "The most significant aspect about CrashOverride is that it is vendor-independent," says Sergio Caltagirone, director of threat intelligence at Dragos. Threat actors can use CrashOveride to operate against grids around the world with little modification. "We are not saying everyone is going to get attacked. But this is a significant advancement in capabilities to attack power grids," Caltagirone says.
In two separate technical papers, Dragos and ESET described the malware as a framework with four modules, or payload components, that are designed to let attackers gain remote control of circuit breakers and switches within an electricity distribution substation. The payloads are designed to work in stages using specific ICS protocols to first map a target network, and then to figure out and issue commands for controlling ICS devices on the network.
[Robert M. Lee, CEO and Founder of Dragos, will be presenting a briefing titled "CRASHOVERRIDE: Zero Things Cool About a Threat Group Targeting the Power Grid" next month at Black Hat USA in Las Vegas.]
Attackers can use CrashOverride/Industroyer to open circuit breakers in a substation and force the breakers to remain open even if grid operators try to close them. This results in a substation becoming de-energized and forces operators to switch to manual operations.
Attackers can also use the malware to continuously toggle circuit breakers on and off until automated protective measures kick in and "island" off a substation from the rest of the grid to ensure stability of operations. "We believe the worst case is an islanding event where the transmission or distribution site walls itself off from the rest of the grid, so you would lose power," in that section of the grid, Caltagirone says.
The likely duration of a blackout caused by an islanding event would be highly dependent on the architecture of the specific site, he says. In the December 2016 attack in Ukraine, grid operators were able to restore power to the affected areas in about 75 minutes by switching over to manual operations. In the US where substation operations are more automated, such manual overrides could be harder to accomplish and an outage caused by CrashOverride could potentially take up to two days to fix, Caltagirone says.
CrashOverride/Industroyer is the fourth publicly known malware designed specifically to target industrial control systems and networks. The other three are Stuxnet, Havex, and BlackEnergy. Not too surprisingly, the newly discovered malware incorporates elements and tactics from its predecessors. But it is also very different from them.
Stuxnet for instance was custom malware designed specifically to destroy centrifuges being used to enrich Uranium at an Iranian facility in Natanz. It used four separate 0-day flaws to execute its mission. BlackEnergy 2 and Havex were both designed primarily to harvest information surreptitiously from ICS systems and networks, says Caltagirone.
CrashOverride/Industroyer's only mission on the other hand is to sabotage and disrupt grid operations.
Where the new malware is comparable to Stuxnet is in its ability to communicate directly with industrial hardware. In that regard, Industroyer and Stuxnet are the only two pieces of malware ever known to have this ability, adds Lipovsky.
"This malware is definitely the work of extremely dedicated, resourceful, and capable attackers with deep knowledge of the architecture and systems in power grid substations," Lipovsky says. "That is probably the most alarming aspect of the attack, especially considering that the hardware and communication protocols are not isolated to Ukraine but used in critical infrastructure worldwide."
Some reports have suggested that ELECTRUM, the group that carried out the Ukraine attacks, is affiliated with Russia. But both Lipovsky and Caltagirone say that there's nothing conclusive to indicate that connection for the moment. ELECTRUM does however appear to have direct ties to the Sandworm Team, a cyberespionage group out of Russia which hit multiple U.S. companies back in October 2014.
"We have no indication of the attacker's identity [but] they are certainly not typical cybercriminals or malware writers," Lipovsky said.
Related content:
About the Author
You May Also Like