Malware which has the ability to take down a city's electrical and power grid has been detected.
Named 'Industroyer', the malware was identified after an attack on Kiev in 2016 and analysis by ESET of the malware has found that it is capable of controlling electricity substation switches and circuit breakers directly. This is done using industrial communication protocols used around the world in power supply infrastructure, transportation control systems and other critical infrastructure systems (such as water and gas).
In particular, Industroyer uses protocols in a common fashion, and its core component is a backdoor that attackers use to install and control the components. The malware connects to a remote server to receive commands and to report to the attackers.
What is specifically different about Industroyer is its use of four payload components, which are designed to gain direct control of switches and circuit breakers at an electricity distribution substation. These work in stages to map a network, and issue commands to work with the specific industrial control devices.
It also uses Tor software to communicate privately with command and control servers, while an additional backdoor is designed to regain access to the targeted network in case the main backdoor is detected and/or disabled.
Anton Cherepanov, senior malware researcher at ESET, said: “While being universal, in that it can be used to attack any industrial control system using some of the targeted communication protocols, some of the components in analyzed samples were designed to target particular hardware. For example, the wiper component and one of the payload components are tailored for use against systems incorporating certain industrial power control products by ABB, and the DoS component works specifically against Siemens SIPROTECT devices used in electrical substations and other related fields of application.
“Thanks to its ability to persist in the system and provide valuable information for tuning-up the highly configurable payloads, attackers could adapt the malware to any environment, which makes it extremely dangerous. Regardless of whether or not the recent attack on the Ukrainian power grid was a test, it should serve as a wake-up call for those responsible for security of critical systems around the world.”
ESET acknowledged that while the investigation into the Ukrainian power outage is still ongoing, it was not able to confirm that the Industroyer malware was the direct cause.
Nevertheless, we believe that to be a very probable explanation, as the malware is able to directly control switches and circuit breakers at power grid substations using four ICS protocols and contains an activation timestamp for December 17 2016, the day of the power outage,” its whitepaper claimed.
Andrea Carcano, co-founder and chief product officer at Nozomi Networks, told Infosecurity that from working closely with global power system companies, it knows communication protocols in depth and if the Industroyer malware infection had occurred on a system that its solution (SCADAguardian) was operating on, it would detect the unusual messages and send alerts that would help mitigate the impact.
“After years of working closely with global power generators, we have seen that network communications across grids are usually very stable and that once baselined, it’s possible to detect anomalies,” he said. “Unusual messages using regular power system communication protocols can be identified and flagged, and action can be taken on them before an outage occurs.”
Carcano called the implications of the Crash Override or Industroyer malware ‘significant’, as unlike Stuxnet which was designed to attack a particular uranium enrichment plant, this malware is broad-based and could affect power grids in many countries.
“We recommend that electric utilities monitor and improve their cyber-resiliency programs, including implement real-time ICS cybersecurity and visibility solutions.”