Industroyer Malware Detected, Linked to Kiev Attack
- Author: Zachary Reyes Jun 13, 2017,
Jun 13, 2017, 2:26
"The recent attack on the Ukrainian power grid should serve as a wake-up call for all those responsible for the security of critical systems around the world", said Anton Cherepanov, senior malware researcher at Eset.
Power firms are concerned there will be more attacks, Alan Brill, a leader of Kroll's cyber security practice, said in a telephone interview.
In 2010 researchers discovered Stuxnet, a groundbreaking piece of malware apparently created to sabotage Iran's nuclear program by sending its centrifuge machines spinning out of control.
With modifications, the malware could attack other types of infrastructure including local transportation providers, water and gas providers, Lipovsky said.
Named "Industroyer", the malware was identified after an attack on Kiev in 2016 and analysis by ESET of the malware has found that it is capable of controlling electricity substation switches and circuit breakers directly. The potential impact may range from simply turning off power distribution, trigering a cascate of failures, to more serious damage to equipment.
Crash Override can be detected if a utility specifically monitors its network for abnormal traffic, including signs that the malware is searching for the location of substations or sending messages to switch breakers, according to Lee, a former U.S. Air Force cyber warfare operations officer.
"The problem is that these protocols were designed decades ago, and back then industrial systems were meant to be isolated from the outside world".
In particular, Industroyer uses protocols in a common fashion, and its core component is a backdoor that attackers use to install and control the components. "Thus, their communication protocols were not designed with security in mind", according to Eset's report.
"That means that the attackers didn't need to be looking for protocol vulnerabilities; all they needed was to teach the malware "to speak" those protocols", the report says.
Both Dragos and Slovakian anti-virus firm ESET have issued alerts to governments and infrastructure operators in an effort to prepare them for the possible threat CrashOverride poses, according to Reuters.
An ESET spokeswoman said the firm's researchers were not available for comment ahead of its release.
The first, Stuxnet, was discovered in 2010 and is widely believed by security researchers to have been used by the United States and Israel to attack Iran's nuclear program.
"What makes this kind of industrial control system malware so scary is it can use legitimate, native commands to that tell the controllers how to control the process".
That's largely what happened in 2015, when hackers - said to be associated with Russian Federation - attacked a critical power supply in Ukraine, during a time when relations between the two states were fractious after Russian Federation annexed the Crimean peninsula in 2014.