The Platform – Possibly Russian-Backed – Said to Have Caused Ukraine Blackouts
Two security firms have investigated what they describe as a malware platform for attacking the industrial control systems that run electricity plants. They warned the platform was the likely culprit behind the December blackouts in Ukraine.
The platform could be quickly customized for automated, broader attacks. Security experts have warned that industrial control systems, used in industries such as manufacturing and utilities, are likely to be of increasing interest to hackers.
The two analyses were published on Monday by ESET, which is based in Slovakia, and Dragos, based in Washington. The findings come just seven months after a second cyber intrusion in a year in Ukraine caused power blackouts (see Ukraine Blackout Redux: Hacking Confirmed).
ESET calls the malware Industroyer, while Dragos calls it Crash Override. Both companies say the malware represents a significant, sophisticated engineering effort. ESET shared clues about the malware with Dragos. Dragos says it was contacted by the media regarding a report soon to be published by ESET, which led to it writing its own report.
The malware’s developers took pains to understand the arcane protocols used in industrial control systems, a rarely seen effort along similar lines as Stuxnet, the U.S.-Israeli malware that disrupted Iran’s nuclear weapons program.
The same day the reports were released, the U.S. Computer Emergency Readiness Team distributed its own warning, in which it ranked the findings as a “medium priority” issue.
“There is no evidence to suggest this malware has affected U.S. critical infrastructure,” CERT says in its advisory. “However, the tactics, techniques and procedures described as part of the Crash Override malware could be modified to target U.S. critical information networks and systems.”
Deep ICS Knowledge
ESET says it’s unlikely the malware could have been developed without access to the specific equipment it targets.
Crash Override module overview including ESET’s discoveries. (Source: Dragos)
“The capabilities of this malware are significant,” ESET writes in its report. “The gang behind Industroyer are more advanced since they went to great lengths to create malware capable of directly controlling switches and circuit breakers.”
That is the same kind of masterful, native control that Stuxnet used to cause Iran’s uranium centrifuges, which were controlled by software made by Siemens, to spin out of control.
But there’s a key difference between Industroyer/Crash Override and Stuxnet, which was designed to bridge air-gapped networks. To infect its target, Stuxnet used four zero-day vulnerabilities for Microsoft’s Windows operating system. Industroyer/Crash Override doesn’t appear to use any.
But like Stuxnet, Industroyer/Crash Override manipulates power systems in the way they’re intended to be used, making detection and defense difficult. It may have initially infected systems through spear phishing, which are targeted emails with malicious content, or through other social engineering.
“There is no simple fix, as the capability described in this report takes advantage of the knowledge of electric grid systems,” Dragos writes in its report. “It is not an aspect of technical vulnerability and exploitation. It cannot just be patched or architected away, although the electric grid is entirely defensible.”
Dragos says that Industroyer/Crash Override could be “extended to other industries with additional protocol modules,” but there are no signs that development is underway. It also cautiously described the possible damage from such an attack against a utility.
“The scenario is not cataclysmic and would result in hours, potentially a few days, of outages, not weeks or more,” Dragos writes.
ESET and Dragos differ somewhat over whether Industroyer/Crash Override is responsible for the blackouts in Ukraine in December 2016. The country’s national power company, Ukrenergo, experienced a two-hour blackout after malware affected one transmission substation.
Dragos says Industroyer/Crash Override is that malware. ESET says it is still investigating, but that conclusion seems likely, as the malware has an “activation timestamp” of Dec. 17, 2016, the same day as the outage.
“Nevertheless, we believe that to be a very probable explanation, as the malware is able to directly control switches and circuit breakers at power grid substations using four ICS protocols,” ESET says.
About a year prior, on Dec. 23, 2015, about 225,000 customers saw blackout, as at least 30 substations in Ukraine went offline. It’s believed the attackers used malware to get inside the networks of two utilities then manually opened circuit breakers, causing a loss of power (see Ukrainian Power Grid: Hacked).
Security analysts suspect malware called Black Energy and a component called KillDisk were used in the 2015 attacks. ESET says that although some components in the newly discovered malware platform are “similar in concept” to the tools used in the 2015 attacks, “we don’t see any link between those attacks and the code in this malware.”
The Ukrainian power station incidents were speculated to have been spearheaded by Russia, which has kept military pressure on the country since annexing the Crimea in March 2014.
Dragos nicknamed the group that developed Industroyer/Crash Override “Electrum.” The company believes that Electrum has close ties to Sandworm, which the security company FireEye believes conducted both Ukraine attacks.
John Hultquist, director of intelligence for FireEye’s iSight intelligence unit, tells The Washington Post that Sandworm “is tied in some way to the Russian government – whether they’re contractors or actual government officials, we’re not sure. We believe they are linked to the security services.”
Legacy Hardware Defenses
Many of the defenses recommended in U.S. CERT’s advisory will sound familiar, but could stop or at least constrain the ability of attackers using Industroyer/Crash Override.
Among those recommendations is application white listing, which only allows authorized programs to run rather than any executable. “The static nature of some systems, such as database servers and human-machine interface computers, make these ideal candidates to run AWL,” U.S. CERT says.
Industroyer/Crash Override exploits ICS protocols that lack authentication and authorization. Legacy hardware may not have the capability to add those controls. But it may be possible to inspect those commands before they reach legacy hardware by using ICS firewalls or stateful inspection, U.S. CERT says.