Update – Security Firms: New Malware Built to Hobble Electric Grid

In-brief: Experts from two security firms are warning that a newly discovered piece of malware dubbed Crash Override is designed to shut down and even damage electrical substations and other components of the electrical grid. 

A sample of malicious software discovered at the site of a December, 2016 cyber attack on Ukraine’s electrical grid is a previously unknown program that could be capable of causing physical damage to the electrical grid, according to reports by two security firms. (Editor’s note: updated with detail from Dragos on the wiper component and comments from Joe Weiss of Applied Control Solutions. PFR June 12, 2017)

Experts at the firm ESET and Dragos Security said on Monday that the malicious software, dubbed CrashOverride (Dragos) or Industroyer (ESET) affected a “single transmission level substation” in the Ukraine attack on December 17th, 2016 in what appears to have been a test run. Still, experts said that features in the malware show that adversaries are automating and standardizing what were previously manual attacks against critical infrastructure, while also adding features that could be used to disable or damage critical systems – the first evidence of such activity since the identification of the Stuxnet malware in 2010. The existence of the malware was first reported by Wired on Monday.

The Crashoverride malware “took an approach to understand and codify the knowledge of the industrial process to disrupt operations as STUXNET (sp) did,” wrote Dragos Security in a report

The malware improves on features seen in other malicious software that it known to target industrial control systems. Specifically, the malware makes use of and manipulates industrial control system-specific communications protocols. That’s similar to features in ICS malware known as Havex that targeted grid operators in Europe and the United States in 2014.  The Crashoverride malware also targeted the libraries and configuration files of so-called “Human Machine Interfaces” (or HMIs) to understand the environment they have infected. It can use HMIs, which provide a graphical interface for managing industrial control system equipment, to connect spread to other Internet connected equipment and systems, Dragos said.

But those earlier malicious software families were designed for espionage, not destruction said Ben Miller, the Director of Dragos’ Threat Operations Center. Crash Override, in contrast, is designed to understand the environment they have infected and then attack it. “It’s designed to stop or de-energize substations,” he said. Among other things, the malware contains a basic “wiper” component, akin to the KillDisk used in the 2015 attack. However, the version included with Crash Override/Industroyer was custom-written and designed to target industrial control system files, Miller said in an e-mail.

The malware was discovered by ESET, though the exact source of it is not clear nor is it clear how it came to reside on Ukrainian grid systems, said Ben Miller, the Director of Dragos’ Threat Operations Center. ESET did not reply to questions regarding the Crash Override/Industroyer malware prior to publication.

In its analysis, the firm ESET said that the malware is especially dangerous because it is capable of controlling electricity substation switches and circuit breakers directly by communicating using standard industrial protocols common to power supply infrastructure, transportation control systems, water,  gas and other industrial control systems.

In the most benign circumstances, the malware could simply cause limited blackouts and power failures, as was the case in Ukraine in 2015 and 2016. Or, the malware could cause larger “cascading” failures or damage equipment, disrupting power supplies for months or longer as utilities struggle to replace damaged hardware.

How the Crash Override/Industroyer malware infects electrical substations. (Image courtesy of ESET.)

The software also appears to have absorbed the lessons of a December, 2015 attack on the Ukraine grid that resulted in widespread power outages. The malware “took the same type of approach to understanding grid operations and leveraging the systems against themselves displayed in Ukraine 2015’s attack,” Dragos said. Together, the new malware offers would be attackers a kind of “Swiss Army Knife” for attacks on grid environments, allowing them to launch simultaneous attacks across a wide range of common, industrial control system platforms.

“This is well-engineered software that pulls the whole destructive process together,” said Patrick McBride of the firm Claroty, which makes industrial control system security software. Claroty researchers were still analyzing a sample of the Crash Override/Industroyer malware. But McBride said it appears as if the creators took pains to automate the attack workflow of the 2015 incident, including infection, propagation and clean up after infection. “This is better engineered software that can be repurposed for other (industrial control system) environments,” McBride said. “It allows attackers to do more with less.”

ESET said Industroyer is modular malware with features that can be used by attackers to manage an attack by installing environment-specific components and connections back to a remote server that sends commands to infected systems and issue reports back to attackers. Four of its identified payload components are designed specifically to gain “direct control of switches and circuit breakers at an electricity distribution substation,” ESET wrote.

The malware is modular, with components specific to electrical utilities. (Image courtesy of ESET.)

Still, Dragos said that Crash Override isn’t a fully automated threat like the “Wanna Cry” ransomware that recently spread globally, however. “It definitely requires human intervention and customization,” notes Miller. Those include “static” (or un-changeable) configuration settings such as the network addresses of systems to attack that are particular to the Ukrainian environment it was released in. The attacker or attackers who released it needed to do discovery and reconnaissance prior to releasing Crash Override if it were to do its job, Miller said.

For power companies and other operators and owners of industrial control systems, the new malicious software serves as a warning that adversaries are improving their tools and techniques. In particular, its use of legitimate industrial protocols and commands means that security software that relies on spotting the use of unusual protocols or traffic will not spot the activity of Crash Override/Industroyer. “Adversaries are getting smarter,” Dragos wrote. “They are growing in their ability to learn industrial processes and codify and scale that knowledge, and defenders must also adapt,” the company wrote.

Joe Weiss, an industrial control systems security expert and the Managing Partner at Applied Control Solutions said that the potential of software based attacks causing physical damage to sensitive equipment has been recognized for years. The so-called “Aurora” test conducted by Idaho National Laboratories in 2007 demonstrated how a generator could be physically damaged by manipulating software that managed the device.  Weiss, who is a vocal critic of security practices in the power sector, says that  too little has been done in the intervening years to prevent such attacks, even amid mounting evidence that cyber adversaries have targeted the electric grid.

“We’re seeing case after case of this stuff happen. What the hell are policy makers doing or thinking? How can this stuff continue to happen,” Weiss said. The electric power industry has adopted a strict cyber security standard, known as The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) plan. However, many parts of the U.S. grid, including large swaths of the electric distribution infrastructure that brings power to homes and businesses, are exempt from NERC CIP requirements. “You have all of these exclusions that allow utilities not to have to look at very much,” said Weiss.

You can read the Dragos report (PDF) and the ESET analysis.

Comments are closed.