ESET and Dragos this week published reports detailing a sophisticated piece of malware believed to have been used in the December 2016 attack aimed at Ukraine’s power grid.
Dubbed Industroyer and CrashOverride, this modular malware has several components: a backdoor, a launcher, a data wiper, DoS and port scanner tools, and at least four payloads.
The payloads allow the malware’s operators to control electric circuit breakers via industrial communication protocols, which suggests that at least some of the malware’s developers have a deep understanding of power grid operations and industrial network communications.
Researchers described some theoretical attack scenarios involving this malware and warned that the threat could be adapted for attacks on other countries, including the U.S., and other sectors.
Contacted by SecurityWeek, industry professionals shared some thoughts on the threat posed by CrashOverride/Industroyer, and provided recommendations on how organizations can protect their systems.
And the feedback begins…
Phil Neray, VP of Industrial Cybersecurity, CyberX:
“Unlike in the first Ukrainian grid attack, where humans were required to remotely control the mouse on compromised SCADA workstations to open the breakers, this malware hijacks ICS devices by communicating directly with them in an automated way, using native ICS protocols such as OPC and IEC 101. We’ve only seen that once before, with Stuxnet. Another interesting way it’s similar to Stuxnet is that it manipulates ICS systems to report back that everything’s OK when in fact it isn’t.
The malware is very modular and could easily be extended to support other protocols such as DNP3 that are commonly used in US electric utilities. But it could also be extended to attack other industries such as manufacturing, food processing, chemicals, and pharmaceuticals. We’ve already seen that nation-states and cybercriminal organizations commonly share advanced tools, so it’s easy to imagine the same tools being used to lock down factories and hold companies up for a lot of ransomware. Another plausible scenario would be stealing corporate trade secrets by probing ICS devices for proprietary information about manufacturing processes and formulas, and then selling the sensitive IP to competitors or to the Chinese on the black market.”
Eric Cornelius, VP of Innovation, Cylance:
“Despite the fact that power grids around the world could be exploited by such a tool, the fear that our nation’s infrastructure will be attacked is largely unfounded. Simply because this weapon is made of code rather than lead doesn’t change the response that its use on our civilian infrastructure will provoke. Given our heightened sensitivity to cyberattacks due to the recent evidence of election tampering, it is easy to conclude that our power grid will be next. That being said, we can’t forget that it is the role of militaries around the world to develop, and test, weapons to use in the defense of their national interests. The existence of these weapons alone however, does not imply the intent to use them in acts of aggression and the concept of mutually assured destruction remains as true today as it did in the height of the cold war.
The takeaway from the discovery of this tool should be a firm reminder that the security of our critical infrastructure is on the minds of our adversaries and should remain at the top of ours. Whether or not there is an immediate intent to harm us, our way of life is inextricably linked to our aging infrastructure and the road to resiliency is long. The time to protect our future is now, yet our calls to action are all too often silenced by the uproar of the next big headline.”
Jalal Bouhdada, Founder and Principal ICS Security Consultant, Applied Risk:
“Industroyer seems to be just a communication driver which toggles commands to achieve undefined or abnormal behaviour, of course the platform is build with smart logic in mind to cause destruction. The modular design might be an indication that the malware will be used in different environments, possibly hitting the US as well, as (DNP protocol for example) modules can be added at the desire of the Industroyer creators. Adding more advanced modules seems to be a viable options for the attackers, allowing them to perform targeted attacks a la Stuxnet.
We can debate who is responsible for creating such malware however what matters the most is how easy to create such piece of malware (like PoC ransomware Scythe) which target industrial devices. Industroyer is attacking the principal design choices of industrial protocols. Moreover If authentication was used to secure the communications between SCADA application in field devices, we wouldn’t had to face the effects of this malware. As little requirements are needed to perform Industroyer-like attacks, a fair prediction would say that we will see such malware more often, targeting a variety of industries (One can literally use legitimate tools to recreate the effects of Industroyer).”
Avi Chesla, CEO and Founder, empow:
The latest cyberthreat out of Russia – the CrashOverride malware – is particularly dangerous because it is capable of executing various malicious activities against different systems autonomously. Yes, it still may require control from the outside, but with developments in AI, hackers can develop ever-more sophisticated, “smarter” malware that can do an enormous amount of damage without human intervention. For example, they can independently identify patterns of different system types and vulnerabilities and decide how to exploit them.
So “self-sufficient” malware is the future of cyberattacks. The WannaCry attack demonstrated some initial basic capabilities – ransomware that can propagate inside the network – which make it more independent than most previous ransomware we’ve seen. In 2015, the Russian malware used to disrupt the power supply network in Ukraine required hackers to remotely manipulate control systems. But the definite trend is toward malware that does not require external activation, and can independently act and propagate inside its target organization.”
Patrick McBride, CMO, Claroty:
“Industrial control systems have been exposed to attack for quite some time. The combination of IT/ICS network convergence – providing poorly secured pathways to industrial control environments that were not designed with cybersecurity in mind – is a dangerous mix. Individual systems have varying, often lackluster security controls in place. While it is very simple to attack ICS networks and cause some level of damage/outage to processes, plants and the electric grid, it is harder to cause permanent damage because of safety systems and the unique system/environment knowledge required to build malware with a more permanently destructive payload. But the systems are dangerously unprotected and the level of sophistication required to cause outages and real damage has been lowered. You don’t need “nation state”-level expertise to copy or reuse existing malware like Industroyer or WannaCry to impact industrial systems.
It is unclear, at this time, whether Industroyer has been used beyond Ukraine. The concentration in Ukraine is plausibly rooted in the Russian/Ukraine conflict in general. Further, the adversary may also be leveraging the Ukraine grid as a test bed – enabling it to further refine its malware and methods and better understand how victims will respond.”
Alan Brill, Senior Managing Director, Cyber Security & Investigations, Kroll:
“The parts of an ICS “talk” to one another over data lines. In this case, an electric grid ICS could talk to a switch at a given substation and open or close it. Doing this to the right combination of switches can cause power to flow where it can cause damage to equipment and leave people in the dark with power outages. To avoid a utility being tied to only one vendor, the “languages” that these devices use to communicate became standardized across manufacturers. So once you understand how the language works, it’s going to work in a lot of power networks.
These systems were developed with the assumption that they weren’t connected to the Internet. Thus, commands could only come from the authorized users. Once the malware is in, it is able to transmit completely accurate and valid-appearing commands, and the language does not provide for positive authentication of the source.
Even more interesting, the “bad guys” realized that the authorized users could undo the damage they caused by issuing correcting commands. My understanding is that the malware also can wipe the software from the switch, so that undoing the unauthorized command takes manual intervention at the switch, which prolongs the problem.”
Barak Perelman, CEO, Indegy:
“This malware demonstrates why ICS control-plane protocols must be protected. These proprietary, vendor-specific protocols, which are used to communicate with control devices (e.g. PLCs, RTUs and DCS) in industrial networks, make it very difficult to monitor access and changes made to critical devices. This lack of visibility enables adversaries to effectively attack these systems while hiding in plain sight.
Detecting malicious activity requires a deep understanding of these native protocols which cannot be accomplished using traditional network monitoring tools or by looking for network anomalies. Monitoring activity performed over control-plane protocols would have immediately identified all the reconnaissance scans in the CRASHOVERRIDE attack and enabled operational staff to prevent the outage. This approach can also identify attempts to tamper with these devices in real-time so threats can be mitigated before any damage is done.”
“Nathan Wenzler, chief security strategist, AsTech:
“Incidents involving malware that target specific ICS systems, such as industroyer, are still relatively rare occurrences. However, because of their focus on disrupting power grids and other industrial systems, the amount of damage that can be caused can be incredibly significant. While malware of this nature targeting assets here in the U.S. as yet to reported publicly, it’s incredibly likely that we will eventually face such a threat. Since malware like this is often backed by government groups, there is a lot of political motivation behind propagating this kind of attack to cause damage to infrastructure or other core services provided to large populations.
Industroyer is particularly interesting in that it is built in a modular fashion, which allows for multiple tools, exploit kits, or customized attack methods for different ICS targets to be added quickly and easily. This will make it trivial for whoever wrote this code to modify it for attacks against different targets or types of systems, allowing for a sort of morphing characteristic that will make it harder to detect and protect against as more and more variations are released into the wild. Add to this the fact that many vendors of ICS products don’t often build security into their applications or provide quick upgrades, patches or hotfixes in response to identified vulnerabilities, it makes a malleable, flexible malware package like industroyer especially dangerous to defend against even if the variants are identified.”
John Bamabenek, Threat Research Manager, Fidelis Cybersecurity:
“In the realm of security, bigger nations picking on smaller nations is nothing new and it’s often done without consequence. If Russia is behind this latest attack, there isn’t much Ukraine can do about it. If Ukraine did have sufficient deterrent capability, they’d have kicked Russia out of Crimea and Eastern Ukraine by now.
Picking on the US is another matter. Unlike Russia’s election information operations, the US has a wide variety of response strategies. The US can launch physical attacks and respond in-kind. After all, the US and allies created Stuxnet. It can always decide to put the band back together.
The fact that the US can retaliate does not mean we aren’t at risk. As a nation, we have a wide variety of infrastructure that’s susceptible to attack. At the moment, our largest defense seems to be deterrence.”
Paul Edon, Director of International Customer Services, Tripwire:
“Historically Industrial networks have used airgap and diode based architecture to defend against the risks associated with corporate intranet and Internet communications. However, due to economic pressures i.e. increasing costs and decreasing numbers of skilled resources, it has become necessary for many organizations to centralize some of the management and control functions that would have previously been local to industrial plants, refineries, distribution facilities etc. This centralization has meant expanding the reach of the enterprise network into the industrial environment, and in doing so, exposing those industrial environments to levels of cyber risk for which they were neither secured nor designed.
Post design security is always a much greater challenge than the “security by design and default” that we would expect today. However, the majority of attacks can still be defended against by employing the same strategy as that used for the enterprise i.e. “Security Best Practise,” “Defence in Depth” and “ Foundational Controls.”
“Malware with such functionality is pretty unique – although it shares ideas and approaches with other malware we have seen and attacks we have investigated. However, Kaspersky Lab and its ICS CERT have been warning for some time that cyber-attackers are increasingly willing and able to launch attacks on critical infrastructure, particularly industrial control systems connected to the Internet – while organizations and countries remain worryingly under-prepared.
In order to protect the ICS environment from possible cyber-attacks, Kaspersky Lab advises the following:
- Conduct a security assessment to identify and remove security loopholes.
- Request external intelligence: intelligence from reputable vendors helps organizations to predict future attacks on the company’s industrial infrastructure.
- Train your personnel
- Provide protection inside and outside the perimeter. A proper security strategy has to devote significant resources to attack detection and response, to block an attack before it reaches critically important objects.
- Evaluate advanced methods of protection. A Default Deny scenario for SCADA systems, regular integrity checks for controllers, and specialized network monitoring to increase the overall security of a company will reduce the chances of a successful breach, even if some inherently vulnerable nodes cannot be patched or removed.”
Owen Connolly, VP of Services at IOActive:
“CrashOverride is a threat, certainly, and yet another wake up call for the industry. How large of a threat? It may impact lots of systems globally, but it is unlikely it will have widespread impacts to grid operations. The good news about attacking power grids is that it is hard. Not impossible, but certainly difficult. And requires insider equivalent information about systems across largely geographic areas. Also, given the mixture of digital, analog, and manual systems, widespread outages are unlikely from malware alone.
But, combining various cyber-physical techniques along with malware in a combined threat could certainly force multiply what CrashOverride can do now into a large scale grid event. That would require a lot of information about substation automation, what systems were in use, timing requirements between substations, interconnected systems across multiple utilities, and a myriad of other data. All obtainable, but certainly a large work effort to pull off.”
Joseph Carson, chief security scientist, Thycotic:
“It’s very likely we’ll see similar attacks in the US as most of the SCADA Control Systems and industrial control systems being used are the same. The major difference will be on how well those systems are being protected and what additional security controls are in place. For example, many of the incidents like that which occurred in Ukraine was a failure to even do the basic security controls that allowed the attackers to easily gain access and laterally move around the network undetected eventually carrying out the malicious activity. This highlights that cyber-criminals with sufficient technical knowledge, resources and time can plan an effective attack with potentially serious catastrophic results.”
Andrea Carcano, Co-founder and Chief Product Officer, Nozomi Networks:
“Organizations with Industrial Control Systems (ICS) should know that technology is available today that provides real-time cybersecurity visibility for SOCs (Security Operations Centers) and that detects and mitigates APTs on OT systems.
For example, such a solution will detect queries being made to devices to collect data that could be used to design and implement a critical systems attack. And, through a deep understanding of the process being run by the ICS, identify that process parameters are changing and could bring the system into a critical state.
Once alerts about both data collection communications and process variable changes are communicated to the SOC, staff can execute prevention and mitigation measures.”
Sven Schrecker, Chair, Industrial Internet Consortium Security Working Group:
“Attacks on critical infrastructure are becoming too common in the world today. Furthermore, the techniques being implemented by the bad guys are becoming more advanced in their capabilities. It is a grave concern that these threats may target US infrastructure and succeed in doing significant damage. We’ve seen such activity at a small scale in the past, and that should be a wake-up call that we must be proactive.
The methods for delivering the malware and attacking the systems is evolving at an ever increasing pace. Unfortunately, the legacy equipment that makes up the majority of the critical infrastructure base was never designed with cyber security in mind. The attackers are preying on this oversight. Fortunately, existing technology can be applied to critical infrastructure to mitigate some of the most egregious vulnerabilities and enable the critical infrastructure to continue to use the legacy protocols and processes with additional security in place.”
David Zahn, GM of Cybersecurity Business Unit, PAS:
“There seems an undercurrent of surprise or reactionary concern when we hear details on how bad actors are advancing sophisticated means to attack critical infrastructure. In power, we are in denial that a similar attack could happen in the US. We also get mired in misconceptions that we are well prepared because of regulation, or squirrels – yes squirrels – are more likely to bring down power than a hacker. The problem is that nation states have a plan, squirrels do not.
The latest news about Crash Override is one more wakeup call that we need to become better at the cybersecurity basics which most industrial companies struggle doing today – know what ICS cyber assets you have (from smart field instruments to controllers to workstations), identify and managing vulnerabilities, detect when an unauthorized change occurs, and ensure backups are available.”