All About Industroyer, Energy's Scariest Malware

A new report warns utility companies to prepare themselves, as grid viruses get exceptionally sophisticated

Black out

According to a new report, the Industroyer/CrashOverride malware used to take down a Kiev electrical facility last year is much worse than thought. The surprise attack, which tapped into a mere fraction of the virus’ potential, was sanctioned by the Russian government as a proof of concept. Investigators are cautioning electricity providers that the critical infrastructure of U.S. plants may very likely be next.

If ever there were a time for energy companies to improve visibility in their threat landscapes, it’s right now.

Industroyer/CrashOverride is the biggest threat to grids since Stuxnet, the American-Israeli computer worm that successfully targeted the industrial control system of Iran’s nuclear centrifuges in 2009. “BlackEnergy and Havex were designed for espionage,” says Motherboard, “but only Stuxnet and Industroyer/CrashOverride were designed solely for sabotage.”

The Kiev blackout, which impacted one-fifth of the city’s power consumption for an hour, is thought to be related to a previous Russian attack in the Ukraine. The latter is said to be first cyberattack on a power grid. In that incident, which went down in December 2015, more than 225,000 people in the Ivano-Frankivsk region of Western Ukraine were left without power for one to six hours.

That attack began through a phishing campaign using the BlackEnergy3 malware. It targeted IT workers and system administrators working for multiple electrical companies, some of whom downloaded an infected Word attachment. Investigators believe that Industroyer/CrashOverride, which is more sophisticated than the 2015 attack’s malware, was deployed the same way.

Electricity grid

In the first hack, thieves used the BlackEnergy3 malware to leverage workers’ credentials for VPNs to access SCADA networks. From there, they reconfigured the Uninterruptible Power Supply (or UPS) to disrupt backup power. Then they installed malicious firmware on converters at several substations. Ultimately, they opened circuit breakers to disrupt power supplies.

Along the way, the criminals froze monitoring systems and crashed PC computers and servers. They triggered a TDoS to hit phone systems, so customers couldn’t report outages. And they sabotaged operator workstations to make power restoration that much more difficult. It took months for centers to become fully operational; much of that progress involved manually controlling breakers.

In contrast, the 2016 Kiev breach was noticeably automated and advanced, enabling a faster, more destructive attack. “This new malware can automate mass power outages…and includes swappable, plug-in components that could allow it to be adapted to different electric utilities, easily reused, or even launched simultaneously across multiple targets,” Wired writes. “Those features suggest Crash Override could inflict outages far more widespread and longer lasting than the Kiev blackout.”

It also builds backdoors to offer alternate network access if detected, has a wiper that erases files to prevent non-manual grid operation, and establishes a scanner that tracks infected networks during the recon stage. Most unsettlingly, it demonstrates intricate knowledge of industrial control-system processes. If it lives up to its potential, there are fears of physical damage: system overloading that damages equipment or melts lines.

After the 2015 attack, investigators used firewalls and system logs to piece together a forensic picture. But those very tools also underscore failures in threat-detection software. Why weren’t security teams able to spot malware or escalating user privileges in the first place? Rules or threshold-based security, we’ve learned, simply doesn’t work when threats shapeshift and hide.

Addressing these shortcomings should now be a pressing concern for electricity companies. “The way the Ukrainians set up the grid and the type of the equipment they are using,” said Robert Lee, an infrastructure specialist at cybersecurity firm the Sans Institute, “is also the way a lot of other nations do it.”