Security researchers from ESET and Dragos have discovered a brand new malware strain that was specifically built to target equipment installed in power grids, and which has already been deployed in live attacks in Ukraine.
These attacks took place on December 17, 2016, and have shut down electrical power distribution to a large area of Kiev, Ukraine's capital.
The incident must not be confused with another cyber-attack that targeted Ukraine in December 2015, which also shut down power supply to large areas of western Ukraine. Those incidents were caused by another ICS malware named BlackEnergy.
The strain detected in December 2016 was found by ESET security researchers, who named it Industroyer. ESET says the malware does not share code with BlackEnergy and appears to have been created from scratch.
Experts say Industroyer was designed to target only a specific set of industrial equipment, usually found in the networks of power distribution companies, such as electricity substation switches and circuit breakers.
The malware doesn't infect these devices, but regular computers that run ICS/SCADA management software. Experts say Industroyer was designed to relay commands to switches and circuit breakers that support four very popular industry standards (listed below).
This allows the malware to adjust settings or shut down equipment, causing network outages, cascading failures, and even physical damage to equipment. Furthermore, because electric power supply is crucial to other sectors, Industroyer's damage far exceeds the one that can be assessed by the local power supply companies.
At the technical level, the malware is what you'd expect from a well-designed cyber weapon.
On top of these, Industroyer also comes with a secondary backdoor in case the first one is detected and removed, a port scanner to search the local network for attached devices, and a data wiper module that deletes the malware and destroys the target's computer, most likely to delay responders from restoring power.
In the past two years, only Ukraine has been the target of power-grid-crippling malware, which coincidentally or not, started after Russia invaded Crimea. Furthermore, tensions between the two countries escalated after Russia started backing rebels looking to set up independent pro-Russian territories in eastern Ukraine.
Based on this alone, many would be tempted to blame Industroyer on Russia. Nonetheless, ESET researchers haven't gone on record to do so just yet.
"Attribution is always tricky in cyber-attacks, and we always refrain from speculations, even more so when it comes to sensitive geopolitical issues," Robert Lipovský, senior malware researcher at ESET, told Bleeping Computer via email.
"To attribute merely based on assumptions interests of countries in a state of war without concrete evidence would be pure speculation and dangerous. And in the case of Industroyer, there was no indication in the malware that could point to an attacker – Russian or other," he added. "As for the possible explanations why Ukraine was targeted, regardless of who may be behind it, that’s a very good question to which we don’t have a definite answer."
Lipovský tells Bleeping Computer that the malware and its impact must not be over-exaggerated.
"Considering that the relatively low impact of the blackout (one region, one hour around midnight) is in great contrast with the sophistication of the malware used and its cost to develop and deploy," the ESET expert says. "It may be that the attackers have failed in some way, or another possible explanation is that it was a test before a greater attack."
Nevertheless, the expert warns about the dangers of not securing industrial networks.
"What we are seeing is the omnipresent battle between security vs. convenience and features which are present in all areas of technology," Lipovský says. "In ICS, it’s even worse, considering its specifics, like extremely problematic security updates, limited ability for protection and malware prevention, and so on."
"All the while [...] we’re moving towards smart-grids, which require real-time two-way communication by definition. Of course, professionals responsible for the security of critical infrastructure treat these threats extremely seriously. It’s a complicated issue," the expert concludes, showing the problematic state of industrial systems designed long before "cyberspace" was considered a NATO battlefield.
The full ESET report is here. US cyber-security firm Dragos also took a look at the malware, which they track internally as CrashOverride. The company allowed ESET to break the news about these new attacks and will be releasing their separate report later today. [UPDATE: Dragos report on CrashOverride is available here.]
#CRASHOVERRIDE report will be out later this morning. It will overview grid operations and the impacts of this. It’s to educate and de-hype.— ben miller (@electricfork) June 12, 2017
In a survey last year, Dragos experts found that most industrial systems get infected with malware by accident, and it's usually with commodity malware such as worms, trojans, and ransomware that infect computers controlling ICS/SCADA gear, and not necessarily the equipment per se.
According to Shodan.io founder John Matherly, there are over 100,000 different types of industrial control systems currently connected to the Internet.
Image credits: ESET