BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
LAS VEGAS -- Security researchers at Black Hat USA 2017 had good news and bad news about the "Industroyer" malware that disrupted the energy grid in Ukraine last year. The good news is the malware likely won't work in North America without modifications, and even then it wouldn't trigger widespread blackouts and critical infrastructure failures.
The bad news, however, is that the Industroyer malware shows a considerable evolution of tradecraft for cyberattacks against industrial control systems, as well as a clear willingness to cross hypothetical lines by targeting and even destroying critical infrastructure.
"It's the first ever malware specifically designed to attack power grids," Robert Lipovsky, senior malware researcher at cybersecurity vendor ESET North America, said of Industroyer. "And we consider it to be the biggest threat against industrial control systems since Stuxnet."
Researchers from ESET and Dragos Inc., which specializes in industrial control system (ICS) security, teamed up for a Black Hat presentation titled "Industroyer/CrashOverride: Zero Things Cool About a Threat Group Targeting the Power Grid." (Dragos refers to the Industroyer malware campaign as "CrashOverride.") While the title of the presentation made a humorous reference to the oft-lampooned 1995 movie Hackers, the researchers agreed the topic was nothing to joke about.
The Industroyer malware was used in a massive cyberattack in Ukraine on Dec. 17, 2016; the timed attack targeted electricity distribution substations in Kiev and assumed control of circuit breakers in ICSes to cut the power, leading to substantial blackouts that lasted many hours. "With that, it joined an elite club of only three malware families known to be used in attacks against ICS," Lipovsky said, referring to BlackEnergy, Stuxnet and Havex.
But Lipovsky said Industroyer wasn't general purpose or even cyberespionage malware; it was designed to attack specific ICSes to exploit a vulnerability in a Siemens ICS product. Lipovsky said Siemens patched the flaw with a firmware update, but Industroyer masquerades as a "Trojanized" version of Windows notepad, which it replaces in the target system, and has not only a primary backdoor, but a secondary backdoor it can activate if the primary one has been mitigated.
The Industroyer malware had additional functionality designed to disrupt response and recovery efforts. The specific functionality doesn't attack the ICSes themselves, but instead targets the workstations used to configure them. "As an engineer at a substation," Lipovsky said, "imagine you have circuit breakers being reopened, protection relays not responding and when you sit down to fix the problem [on a workstation], your [supervisory control and data acquisition] software is gone."
Robert Lee, CEO of Dragos, also said the threat actors behind the attack curiously built in more capabilities for Industroyer than was necessary for the ICS attacks, which he said probably wasn't a mistake and, instead, was done to make sure the attacks on the Ukraine energy grid were successful.
Lee said what he found most interesting about the Ukraine energy grid attack with Industroyer was there was no simple fix for the attack. While the Siemens vulnerability was used, the malware didn't need it to actually be executed on targeted systems. Instead, Lee said, the attackers behind the Industroyer malware appeared to have studied ICS security and how the energy grid systems in Ukraine operate since the 2015 BlackEnergy attacks, and they codified that information into a new attack framework.
"When we look at this case," Lee said, "I think we're seeing an evolution of adversary tradecraft."
Joe Slowik, senior threat analyst at Dragos, said the attackers didn't discover a zero-day bug; they took the time to learn about the specific ICSes, communication protocols and energy grid operations in Ukraine to build the attack. "We've seen someone who is able to go out and reverse info -- not reverse engineer -- and apply three different methods of communications with physical hardware with grid operations, as well as overcome an additional protocol used for grid monitoring and communication, and then on top of that build a destructive module in turn," Slowik said.
The good news, Slowik said, is that due to the complex nature and specific design of the Industroyer malware, the attack isn't scalable. "This isn't something that can just be released out in the open and worm its way across the power grid and take down lots of things," he said. "Someone has to be in these networks to start with and expend the time, energy and effort to design the software in question to have a malicious effect."
Ben Miller, director of threat operations at Dragos, said Industroyer was "definitely a large step toward manipulating grid systems and substation automation systems," but he emphasized that even an attack on targeted ICSes wouldn't scale beyond hitting individual stations in a nonsynchronized, uncoordinated manner. Therefore, the threat of the malware triggering widespread cascading blackouts was not currently possible. Miller also said that because of differences in ICS technology and regional power grids, Industroyer isn't applicable to North America without modifications.
However, Lee said the Industroyer malware shows that a "well-funded, well-prepared team" can successfully disrupt energy grids, and that ICS security is not prepared. He also urged governments to take strong action against such attacks rather than allow threat actors to be emboldened by the Ukraine blackouts.
"I don't expect to see CrashOverride show up in North America," Lee said. "But I expect to see the tradecraft that's been exhibited easily codified for other adversaries to take advantage of. And I think all of our grid operators out there need to be aware that these style of events are things we need to train and prepare for because we will see more of it."
Find out how WannaCry ransomware can affect industrial control systems
Read more on the importance of security incident response management
Learn about detection methods for preinstalled malware on custom servers