Crash Override: Malware that took down a power grid may have been a test run

Two security firms have released reports about the malware which was used in the December 2016 Ukraine power outage, warning that the partial power outage in Kiev may have been test run; the malware could be leveraged against other countries, including the US.

The malware, dubbed Crash Override in the Dragos report (pdf) and Industroyer in the ESET report (pdf), has nothing to do with espionage and everything to do with cyber-sabotage.

Crash Override, Dragos says, “is the first ever malware framework designed and deployed to attack electric grids.” It could be “leveraged at multiple sites simultaneously.” Dragos founder Robert M. Lee told Reuters, “The malware is capable of causing outages of up to a few days in portions of a nation’s grid, but is not potent enough to bring down a country’s entire grid.”

It could be used to attack the power grid in Europe, and with a tweak here and there, “it could be leveraged against the United States,” Lee said.

The malware has a modular framework which includes not one but two backdoors; one is used to gain persistence on systems, while the second is a backup in case the first backdoor is discovered. The malicious toolkit has a custom-made port scanner to map the network, a denial-of-service (DoS) tool that ESET claims can be used against Siemens SIPROTEC devices, and a wiper. The data wiper module erases files, clears registry keys, kills running processes, crashes the machine and stops it from rebooting.

The framework also includes modules which can be used to open circuit breakers “and force them into an infinite loop keeping the circuit breakers open even if grid operators attempt to shut them.”

But that’s not nearly all as Crash Override was written by those in-the-know, by attackers who have in-depth knowledge about industrial control system protocols. The malware, according to ESET, “is a particularly dangerous threat, since it is capable of controlling electricity substation switches and circuit breakers directly. To do so, it uses industrial communication protocols used worldwide in power supply infrastructure, transportation control systems, and other critical infrastructure systems (such as water and gas).”

ESET explained that those protocols were designed decades ago with no security in mind since the industrial systems were isolated, not put online. The attackers didn’t need to find vulnerabilities in the protocols; they only need to teach the malware to talk to those protocols.

Attackers have the “ability to ‘plug and play’ additional modules.” Dragos suggested that the attack on Kiev may have been more of a “proof of concept” than of a full demo of the malware’s capabilities. Dragos noted, “There’s a ton of functionality in this that was never used in Ukraine. This suggests it was being prepared for use at multiple sites.”

The research teams believe “Electrum” is the group behind the attack on Kiev’s power grid. Electrum is believed to have ties to the Sandworm Team, which is suspected to be linked to Russia and have been responsible for targeting Ukraine’s electric utilities in 2015 as well as infrastructure companies in the US and Europe in 2014.

For more about indicators of the malware as well as attack scenarios and implications, you should read both reports.

In the words of ESET:

Thanks to its ability to persist in the system and provide valuable information for tuning-up the highly configurable payloads, attackers could adapt the malware to any environment, which makes it extremely dangerous. Regardless of whether or not the recent attack on the Ukrainian power grid was a test, it should serve as a wake-up call for those responsible for security of critical systems around the world.