This newly detected malware could cause power outages, new research says
Hackers related to the Russian Government have developed a malicious malware that can cause power outage and possibly harm other critical infrastructures around the world, two cyber security firms announced yesterday.
ESET, a Slovakian anti-virus software maker, who dubbed the malware Industroyer, said that it was used by hackers to briefly shut down one-fifth of the electric power generated in Ukraine’s capital, Kiev in December 2016.
The malware is the “biggest threat to industrial control systems since Stuxnet,” ESET said, without indicating who was behind it. However, Ukrainian officials have blamed Russia for it, according to Reuters.
“The malware is really easy to repurpose and use against other targets; that is definitely alarming,” ESET malware researcher Robert Lipovsky told Reuters in a telephone interview. “This could cause wide-scale damage to infrastructure systems that are vital” such as turning off power distribution channels to more serious damage to equipment. It also contains certain features that are designed to enable it to remain unnoticed.
On the other hand, another cyber security company, Dragos who has given its own name to the malware “Crash Override”, tied it to a hacker group called Electrum. Electrum has ties to the Sandworm Team, which targeted infrastructure companies in the U.S. in 2014, and Ukraine’s electric utilities in 2015. Apparently, Sandworm has been linked to the Russian government.
According to a report from Dragos, Crash Override is the second malware program that can immobilize industrial systems like power plants. The first, called Stuxnet, was reportedly developed by the U.S. government and and Israel to disrupt Iran’s nuclear capability.
“Crash Override is not unique to any particular vendor or configuration, and instead leverages knowledge of grid operations and network communications to cause impact,” Dragos said.
“In that way, it can be immediately re-purposed in Europe and portions of the Middle East and Asia.”
Sergio Caltagirone, director of threat intelligence for Dragos, who studied the malware, said that with small modifications, the malware could be deployed against U.S. electric transmission and distribution systems to devastating effect.
“CrashOverRide represents alarming tradecraft and the ability to disrupt operations,” said Dragos. However, it also added that while the malware can cause an outage for a few days in portions of a nation’s grid, it cannot bring down the entire power grid of a country, Reuters reported.
The attack on Ukraine’s power grid in 2016 was more of a proof of concept attack, rather than a full demonstration of the malware’s capabilities, Dragos said.
“The modules in CRASHOVERRIDE are leveraged to open circuit breakers on RTUs [remote terminal units]and force them into an infinite loop keeping the circuit breakers open even if grid operators attempt to shut them. This is what causes the impact of de-energising the substations,” Dragos said in a blog post, adding that grid operators can alleviate this issue by going back to manual operations. The malware is also designed to disrupt service, not destroy equipment as previous industrial control system malware Stuxnet had.
“Industroyer’s ability to persist in the system and to directly interfere with the operation of industrial hardware makes it the most dangerous malware threat to industrial control systems since the infamous Stuxnet, which successfully attacked Iran’s nuclear programme and was discovered in 2010,” Anton Cherepanov, senior malware researcher at ESET said in a statement.
ESET and Dragos have issued private alerts to governments and infrastructure operators on Monday to help them protect against the malware.
The Department of Homeland Security have also supported the warning, saying it was working to better understand the threat posed by Crash Override.
“The tactics, techniques and procedures described as part of the Crash Override malware could be modified to target U.S. critical information networks and systems,” the agency said in an alert posted on its website.
While the cyberattack-caused blackout in Kiev lasted for about 75 minutes didn’t lead to any disasters. However, experts warn that it’s only a glimpse of the future of cyberwarfare.
“There are concerning scenarios in how this malware can be leveraged to disrupt grid operations that would result in hours of outages at targeted locations,’ said Dragos.
Although it is not disastrous, CrashOverRide remains a concerning capability, it added.