Weekly Executive Summary for Week June 16, 2017

ICS Malware Linked to Power Outages

A new analysis done by U.S. critical infrastructure security firm, Dragos Inc., and Slovakian antivirus software maker, ESET, details malware specifically targeting electric grid operations.  Named “CRASHOVERRIDE” and “Industroyer”, it is the first malware designed with this intent.  The Drogos and ESET researchers have high confidence that this malware was used against the electric transmission substation in Kiev, Ukraine, on December 17, 2016. The threat group calling itself “ELECTRUM” is believed to have direct ties to the BlackEnergy group. 

CRASHOVERRIDE/Industroyer is described as a modular framework that consists of a backdoor, a loader, a data wiper, several supporting modules, and at least four payloads.  According the the researchers, “The most important items are the backdoor, which provides access to the infected system, the loader module, which enables effects on the target, and the individual payload modules.”   There was no indication of any type of espionage for the malware, its only goal was to disrupt operations.  Specifically, four industrial control protocols were targeted by the malware creators, IEC 60870-5-101 (IEC 101), IEC 60870-5-104 (IEC 104), IEC 61850, OLE for Process Control Data Access (OPC DA).  These payloads allowed the attackers to control electric circuit breakers.  A scenario given in the report showed that attackers could initiate an infinite loop where the breakers open and close which would cause the substation to go offline because of safety protections.  

There is no specific vendor or vulnerability targeted by the malware.  It instead takes advantage of the decades old protocols used in these systems and uses them in the manner they were designed for.  This makes defense against it difficult because many of the normal tools, such as anti-malware or patching, won’t work.  The lack of specific targets also means that the malware can be leveraged against many different grids with little modification necessary to the code. 

There are some defense recommendations given by the researchers tailored towards ICS security:

• Ensure the electric utility security teams have a clear understanding of where and how IEC 104 and IEC 61850 protocols are used.
• Understand OPC implementations and identify how the protocol is being used.
• Have robust backups of engineering files such as project logic, IED configuration files, and ICS application installers offline and tested.
• Create incident response plans for this type of event and perform table top exercises.
• The report included a set of YARA rules and other indicators of compromise that can help with the search for possible infections.

The danger of CRASHOVERRIDE/Industroyer is that it is a highly customizable malware.  Not only could it be used against different energy organizations across the world, but attackers could also add in new modules to be used against different sectors.

Sources: CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations (Dragos), WIN32/Industroyer: A new threat for industrial control systems (ESET), US-CERT Alert TA17-163A (US-CERT), ‘Industroyer’ ICS Malware Linked to Ukraine Power Grid Attack (Security Week), Found: “Crash Override” malware that triggered Ukrainian power outage (Ars Technica)

Note: The purpose of the weekly executive summary is to provide useful information that a business or agency could use in both its cybersecurity and business strategies. In order for this website to serve the community we need to know your concerns and questions about (for example) proper safeguards for technology you’re looking into or what sets of compliance and governance policies would you need to operate a particular business. The CSCC openly invites you to send in your inquiries. We’ll have students research your issues and provide an analysis of the information at hand to guide you with all things cybersecurity. Mail us at: uhwocscc@hawaii.edu