A newly discovered malware framework, which some believe carries signs of Russian authorship, can be used by hackers to disrupt industrial control systems and cause mass power outages, according to research conducted by cybersecurity firms Dragos Inc. and ESET.
The findings are significant because they represent the first known real-world case of a computer virus designed to directly interact with electric grid hardware, explained Sergio Caltagirone, director of threat intelligence for Dragos.
Researchers believe that a version of the malware framework, dubbed “CrashOverride” or “Industroyer,” was previously leveraged to hack into an electric transmission station in Ukraine causing a black out for several hours last December in neighborhoods just north of Kiev.
Evidence of a connection between CrashOverride’s author and the attackers behind last year’s Ukrainian power grid incident exists, according to Caltagirone, but was not published in Dragos’ technical analysis. In January, iSight Partners, a subsidiary of U.S. cybersecurity firm FireEye, attributed the suspicious blackout to a Russian hacking group known as Sandworm.
A group of ESET researchers worked as incident responders in the aftermath of the foreign power outage. ESET originally provided Dragos with evidence of the malware, which the Fulton, Md.-based firm then further analyzed.
Unlike most computer viruses, CrashOverride relies on effectively disrupting a series of communication protocols commonly used by industrial control systems instead of exploiting hidden software vulnerabilities. These same protocols are shared between systems found in Europe, the Middle East and Asia. With some effort, the modular malware can also be crafted to work against U.S.-centric hardware, Dragos CEO Rob Lee told Vice News’ Motherboard.
CrashOverride is made up of four different and customizable payload components, allowing for an operator to finely tune an attack based on the specifications of a target’s network infrastructure. The payloads themselves affect products made by preeminent industrial technology developers like ABB Group and Siemens.
“The payloads work in stages whose goals are mapping the network, and then figuring out and issuing commands that will work with the specific industrial control devices. Industroyer’s payloads show the authors’ deep knowledge and understanding of industrial control systems,” a blog post by ESET Senior Malware Researcher Anton Cherepanov reads. “Industroyer’s dangerousness lies in the fact that it uses protocols in the way they were designed to be used.”
Launching CrashOverride requires for a hacker to first compromise an infrastructure, thereby establishing a bridge to send the virus into a system. An attacker may use phishing emails or another infection vector to originally gain a necessary foothold and gather user credentials in such a scenario, Caltagirone said.
Until Monday, there had only been three known real-world cases of malware designed to target industrial control systems: BlackEnergy, Havex and most famously, the U.S. government-linked Stuxnet. CrashOverride is the newest addition to this category.
While BlackEnergy and Havex are generally understood be have been designed for espionage purposes, only Stuxnet and now CrashOverride are capable of “sabotage,” Caltagirone told CyberScoop in a phone interview. With CrashOverride this means manipulating electricity substation switches and circuit breakers.
CrashOverride is not a worm-based virus; it does not spread automatically or instantaneously from one infected organization to the next. In other words, evidence of the malware so far suggests that this capability would not be easily scalable. It remains unclear how many organizations have been affected by CrashOverride.