A brief blackout in Ukraine’s capital Kiev last Christmas was likely caused by newly discovered malware that targets physical processes in electricity sector industrial control systems.
Slovakian-based ESET provided Dragos, a US firm specializing in critical infrastructure security, with some components of the malware in order to validate its findings.
The malware presents a serious threat as it employs network protocols common to grids in Europe, Asia and the Middle East. The protocols enable operators to use remote terminal units to directly control substation switches and circuit breakers, for example, to help balance power across a grid.
ESET claims it’s the biggest threat to industrial control systems since Stuxnet, the presumed US-Israeli cyberweapon that targeted a nuclear enrichment facility in Iran. It’s the only known piece of malware since Stuxnet that is designed to interfere with physical industrial processes.
The danger lies in this new malware's ability to be quickly reconfigured to target other energy networks across the world, according to the researchers.
The malware isn’t specific to any one vendor or configuration but relies instead on knowledge of how to impact a grid’s operational and network communications, according to Dragos.
“In that way, it can be immediately re-purposed in Europe and portions of the Middle East and Asia,” notes Dragos. Targeting the North American grid would require only minor adjustments, for example switching to a communication protocol common to that market.
Industroyer/CrashOverride features a core backdoor and remote access tool that is used to control other modular components, which include four payloads for mapping a target network and directly controlling the switches and circuit breakers.
It also features a disk wiping tool to stymie efforts to reboot affected systems, and a denial-of-service attack aimed at Siemens SPIROTEC devices. There’s also evidence the malware targets certain processes used in products from Swedish-Swiss firm ABB’s industrial control equipment.
Supporting its theory this malware was used against Kiev’s substations in the 2016 outage, ESET notes the malware's activation timestamp of December 17, 2016 coincides with the day of the city’s hour long blackout.
The 2016 outage came almost exactly a year after a BlackEnergy malware attack on a Ukraine energy provider left over 200,000 people in Kiev without power. ESET notes BlackEnergy is similar in concept to Industroyer but less sophisticated it lacked tools to directly control ICS equipment.
According to Dragos, only a subset of the malware framework was used in the attack on the Kiev substation in 2016, suggesting it may have been a test run for a more serious attack in future.
There are some limitations to the malware in its current form. Dragos researchers believe it would not lead to a catastrophic event but could cause outages of several hours at targeted locations or several day outages across multiple sites.
“CRASHOVERRIDE is an extremely concerning capability but should not be taken with any "doom and gloom" type scenarios. Everything past single substation events and small islanding events of targeting a few multiple locations is purely speculation and not worth discussion at this time,” Dragos concludes.