Industroyer

Security researchers from ESET have discovered a brand new malware strain that was specifically built to target equipment installed in power grids, and which has already been deployed in live attacks in Ukraine.

These attacks took place on December 17, 2016, and have shut down electrical power distribution to a large area of Kiev, Ukraine's capital.

The incident must not be confused with another cyber-attack that targeted Ukraine in December 2015, which also shut down power supply to large areas of western Ukraine. Those incidents were caused by another ICS malware named BlackEnergy.

2016 attacks caused by Industroyer malware

The strain detected in December 2016 was found by ESET security researchers, who named it Industroyer. ESET says the malware does not share code with BlackEnergy and appears to have been created from scratch.

Experts say Industroyer was designed to target only a specific set of industrial equipment, usually found in the networks of power distribution companies, such as electricity substation switches and circuit breakers.

Industroyer malware operations

The malware doesn't infect these devices, but regular computers that run ICS/SCADA management software. Experts say Industroyer was designed to relay commands to switches and circuit breakers that support four very popular industry standards (listed below).

This allows the malware to adjust settings or shut down equipment, causing network outages, cascading failures, and even physical damage to equipment. Furthermore, because electric power supply is crucial to other sectors, Industroyer's damage far exceeds the one that can be assessed by the local power supply companies.

Industroyer is the work of an experienced developer

At the technical level, the malware is what you'd expect from a well-designed cyber weapon.

Industroyer is modular malware. Its core component is a backdoor used by attackers to manage the attack: it installs and controls the other components and connects to a remote server to receive commands and to report to the attackers.

What sets Industroyer apart from other malware targeting infrastructure is its use of four payload components, which are designed to gain direct control of switches and circuit breakers at an electricity distribution substation.

Each of these components targets particular communication protocols specified in the following standards: IEC 60870-5-101, IEC 60870-5-104, IEC 61850, and OLE for Process Control Data Access (OPC DA).

Generally, the payloads work in stages whose goals are mapping the network, and then figuring out and issuing commands that will work with the specific industrial control devices. Industroyer’s payloads show the authors’ deep knowledge and understanding of industrial control systems.

Industroyer malware modules

On top of these, Industroyer also comes with a secondary backdoor in case the first one is detected and removed, a port scanner to search the local network for attached devices, and a data wiper module that deletes the malware and destroys the target's computer, most likely to delay responders from restoring power.

Russia, the Ukraine conflict, and cyber-attacks

In the past two years, only Ukraine has been the target of power-grid-crippling malware, which coincidentally or not, started after Russia invaded Crimea. Furthermore, tensions between the two countries escalated after Russia started backing rebels looking to set up independent pro-Russian territories in eastern Ukraine.

Based on this alone, many would be tempted to blame Industroyer on Russia. Nonetheless, ESET researchers haven't gone on record to do so just yet.

"Attribution is always tricky in cyber-attacks, and we always refrain from speculations, even more so when it comes to sensitive geopolitical issues," Robert Lipovský, senior malware researcher at ESET, told Bleeping Computer via email.

"To attribute merely based on assumptions interests of countries in a state of war without concrete evidence would be pure speculation and dangerous. And in the case of Industroyer, there was no indication in the malware that could point to an attacker – Russian or other," he added. "As for the possible explanations why Ukraine was targeted, regardless of who may be behind it, that’s a very good question to which we don’t have a definite answer."

Industroyer was most likely a test

Lipovský tells Bleeping Computer that the malware and its impact must not be over-exaggerated.

"Considering that the relatively low impact of the blackout (one region, one hour around midnight) is in great contrast with the sophistication of the malware used and its cost to develop and deploy," the ESET expert says. "It may be that the attackers have failed in some way, or another possible explanation is that it was a test before a greater attack."

Nevertheless, the expert warns about the dangers of not securing industrial networks.

"What we are seeing is the omnipresent battle between security vs. convenience and features which are present in all areas of technology," Lipovský says. "In ICS, it’s even worse, considering its specifics, like extremely problematic security updates, limited ability for protection and malware prevention, and so on."

"All the while [...] we’re moving towards smart-grids, which require real-time two-way communication by definition. Of course, professionals responsible for the security of critical infrastructure treat these threats extremely seriously. It’s a complicated issue," the expert concludes, showing the problematic state of industrial systems designed long before "cyberspace" was considered a NATO battlefield.

The full ESET report is here. US cyber-security firm Dragos also took a look at the malware, which they track internally as CrashOverride. Their report is available here.

In a survey last year, experts found that most industrial systems get infected with malware by accident, and it's usually with commodity malware such as worms, trojans, and ransomware that infect computers controlling ICS/SCADA gear, and not necessarily the equipment per se.

According to Shodan.io founder John Matherly, there are over 100,000 different types of industrial control systems currently connected to the Internet.

Image credits: ESET

Related Articles:

Booz Allen Hamilton Researchers Detail New RtPOS Point-of-Sale Malware

Andromeda Botnet Operator Released With a Slap on the Wrist

World Police Shut Down Andromeda (Gamarue) Botnet

Iranian Hackers Charged in March Are Still Actively Phishing Universities

Mirai IoT Malware Uses Aboriginal Linux to Target Multiple Platforms