The Malware Used Against The Ukrainian Power Grid Is More Dangerous Than Anyone Thought
Researchers have discovered a new powerful—and dangerous—malware that targets industrial control systems.
Last December, when attackers hacked a power transmission company in Ukraine and cut electricity to tens of thousands of customers for an hour around midnight, it was considered a less severe assault than one that occurred the previous December. The latter attack cut power to more than 230,000 Ukrainians for one to six hours during peak dinner hours in the dead of winter.
But new analysis of malware used in the more recent attack suggests it may be more sophisticated and dangerous than previously believed.
Researchers who examined the malicious code say it's a modular toolkit composed of multiple components that have the ability to launch automated assaults against industrial control systems managing the electric grid.
The toolkit doesn't exploit software vulnerabilities to do its dirty tricks—the way most malware does—but instead relies on exploiting four communication protocols or standards that are used with industrial control systems in Europe, the Middle East, and Asia, according to the researchers. This means the attackers could use the same toolkit to target systems in these regions, and may already have done so.
"There's a ton of functionality in this that was never used in Ukraine," says Robert M. Lee, co-founder of Dragos, a critical infrastructure security company that examined the code. "This suggests it was being prepared for use at multiple sites."
With a little tweaking, Lee says the same toolkit would also work against parts of the grid in the US.
The malicious toolkit, which is being called Industroyer by the Slovakian antivirus firm ESET and CrashOverride by Lee and his firm, includes two backdoors, which the attackers use to gain persistence on systems (the second one is designed to regain access if the first backdoor is detected or disabled); a wiper component for erasing critical system files to render grid operator stations inoperable; and a port scanner to map infected networks during the reconnaissance stage.
Researchers with ESET say Industroyer/CrashOverride is the biggest threat to industrial control systems since Stuxnet, the worm that damaged centrifuges used in Iran's nuclear program back in 2009. But Lee downplays this, saying although the toolkit is a big deal, it's designed to disrupt equipment and service, not destroy equipment the way Stuxnet did.
There have only been four malware attacks found in the wild that target industrial control systems: Stuxnet, Black Energy2, Havex and now Industroyer/CrashOverride. BlackEnergy and Havex were designed for espionage; but only Stuxnet and Industroyer/CrashOverride were designed solely for sabotage.
The distinction is important because determining the intent of malware is often difficult to do but has important implications for how an intrusion might be viewed under the international laws of war where espionage is not considered a use of force but sabotage is.
"Anyone who finds this [on their system] can assume the intention is attack," says Lee. "There is no function in this malware that you could use for espionage. So there is zero reason to position this anywhere where you weren't going to attack."
Lee says the malware itself isn't very sophisticated—it has a lot of the same functionality found in other malware attacks. What makes it sophisticated is the extensive knowledge the authors have about industrial control system protocols.
"With this [logic bomb] function, you could be looking at a day or two of outages fairly easily."
The heart of the malware are the four ICS-specific modules that operate in conjunction with one another to exploit four protocols known as IEC 101, IEC 104, IEC 61850, and OLE for Process Control Data Access (OPC DA).
"What's sophisticated is knowing what protocols to use and in what order," Lee says. "These protocols provide an ability to map out the industrial equipment inside the environment and send commands to [substations] to impact circuit breakers."
The malware has to be custom-built for each target using a configuration that is specific to that site, so an attacker couldn't turn it into a worm to attack just any system it encounters. But Lee says this doesn't mean attackers couldn't target multiple sites simultaneously. The toolkit has logic bomb functionality, which means attackers could infect multiple systems to launch a simultaneous attack against them.
"A smart adversary could take on portions of a grid and substations, similar to what we saw in 2015, for a couple hours," he says. "But with this [logic bomb] function, you could be looking at a day or two of outages fairly easily. I don't think you could go above that—this wouldn't cause cascading failures."
Even so, "you're obviously talking about a complete psychological impact on your human populace that you would not want," he notes.
The 2016 attack on Ukraine's power grid, which struck December 17 at a substation outside the capital city Kiev, was believed to be a test for refining attacks on critical infrastructure around the world.
Once the attackers installed their backdoor, they stole system and administrator account credentials, which allowed them to move through the network undetected. They sat on the network conducting reconnaissance for months, scanning network traffic and studying the daily behavior of administrators so they could mimic their activity.
The malicious toolkit that was used in the attack contained a December 17, 2016 timestamp that activated the protocol components to launch their attack. Lee says the toolkit had the ability to launch a continuous assault on the circuit breakers so that each time operators would try to regain control in order to re-close the breakers, the malware would open them again.
"As operators tried to take control, it goes into an infinite loop," Lee says.
At this point the wiper module would also get activated and delete system files on operator machine to crash them and prevent them from rebooting. The only way operators could then restore power was to physically switch to manual operation mode at the substation.
The attack in 2015 was tied specifically to the model of equipment used at each of the three distribution plants; the attackers had to study the specific equipment those used at the plants and design their attack to target them. But there's no equipment component to this newer attack.
"It is directly applicable to every site in Europe, most of the Middle East and most of Asia," he says. The US uses a different communication protocol known as DNP3 (Distributed Network Protocol 3), but this doesn't make it immune to the same kind of assault.
"The way this framework is built, it would be very easy to [switch] in a DNP3 module […] and you'd be able to replay this against portions of the US grid," he says.
Lee says detecting an attack using the Industroyer/CrashOverrride framework would not be too difficult to do. Because the four modules using the communication protocols operate in a very distinct pattern, administrators could configure their security tools to watch for this.