- Jun 12, 2015
Dubbed Crash Override by Dragos Inc. and Industroyer by Slovakia-based ESET, it was used on Kiev last December in what experts think was a test. It's scalable and robust, with many features not even used in test. It's use on Ukraine indicate the big new player in software weaponry, Russia. Stuxnet was U.S. weapon of similar nature, targeting Iranian centrifuges, and the beginning of the future.
The researchers say this new malware can automate mass power outages, like the one in Ukraine's capital, and includes swappable, plug-in components that could allow it to be adapted to different electric utilities, easily reused, or even launched simultaneously across multiple targets. They argue that those features suggest Crash Override could inflict outages far more widespread and longer lasting than the Kiev blackout.
”The potential impact here is huge," says ESET security researcher Robert Lipovsky. ”If this is not a wakeup call, I don't know what could be."
The adaptability of the malware means that the tool poses a threat not just to the critical infrastructure of Ukraine, researchers say, but to other power grids around the world, including America's. ”This is extremely alarming for the fact that nothing about it is unique to Ukraine," says Robert M. Lee, the founder of the security firm Dragos and a former intelligence analyst focused on critical infrastructure security for a three-letter agency he declines to name. ”They've built a platform to be able to do future attacks."
Instead of gaining access to the Ukrainian utilities' networks and manually switching off power to electrical substations, as hackers did in 2015, the 2016 attack was fully automated, the ESET and Dragos researchers say. It was programmed to include the ability to ”speak" directly to grid equipment, sending commands in the obscure protocols those controls use to switch the flow of power on and off. That means Crash Override could perform blackout attacks more quickly, with far less preparation, and with far fewer humans managing it, says Dragos' Rob Lee.
”It's far more scalable," Lee says. He contrasts the Crash Override operation to the 2015 Ukraine attack, which he estimates required more than 20 people to attack three regional energy companies. ”Now those 20 people could target ten or fifteen sites or even more, depending on time."
Like Stuxnet, attackers could program elements of Crash Override to run without any feedback from operators, even on a network that's disconnected from the internet—what Lee describes as a "logic bomb" functionality, meaning it could be programmed to automatically detonate at a preset time. From the hacker's point of view, he adds, ”you can be confident it will cause disruption without your interaction."
It's unclear who created CrashOverrride. Both ESET and Dragos say it was built from scratch, leaving none of the usual fingerprints that allow analysts to link one hacking campaign to another. Ukraine has faced a near-biblical plague of cyberattacks since entering into hostilities with Russia three years ago, and many have led unequivocally to Moscow. But not so with CrashOverride.
The only thing that's certain, says security researcher Robert Lee, CEO of Dragos, is that the malware wasn't built as a one-time weapon. It's designed from the ground up to be easily reconfigured for a variety of targets and contains some payloads that weren't even fired off in the Kiev attack.
”It's a nightmare," Lee said. ”The malware in its current state would be usable for every power plant in Europe. This is a framework designed to target other places."
https://www.wired.com/story/crash-override-malware/ESET said the malware, which it dubbed Industroyer, may be behind the one-hour shutdown of power to the Ukraine capital Kiev last December.
The company said Industroyer's potent threat is that it works using the communication protocols designed decades ago and built into energy, transportation, water and gas systems around the world.
Making use of these poorly-secured protocols, Industroyer can take direct control of electricity substation switches and circuit breakers, giving hackers the ability to shut down power distribution and damage equipment.
The malware is the "biggest threat to industrial control systems since Stuxnet," ESET said, without indicating who was behind it.
But in a separate report on the same malware Monday, a second cyber security company, Dragos, tied it to a Russian hacker group called Sandworm which has been linked to the Russian government.
Dragos gave its own name to the malware, "CrashOverride," and said it is only the second-ever malware deployed for disrupting physical industrial processes, after Stuxnet.
"CrashOverride is not unique to any particular vendor or configuration, and instead leverages knowledge of grid operations and network communications to cause impact," Dragos said.
"In that way, it can be immediately re-purposed in Europe and portions of the Middle East and Asia."
In addition, it said, the malware could be adapted "with a small amount of tailoring" to render it potent against the North American power grid.
It said that the malware can be applied to work at several electricity substations at the same time, giving it the power to create a widespread power shutdown that could last for hours and potentially days.
Dragos said it had "high confidence" the malware was behind the power outage in Kiev on December 17.