Information Security researchers have analyzed a newly disclosed malware which has the capabilities to essentially destabilize power grids. The malware is said to have been allegedly used in an attack to disrupt the operations of a Ukrainian electricity grid back in December 2016.
As per global reports, the malware dubbed as industroyer, was first discovered by a Slovakian cybersecurity company ESET. The company did go public with their findings and released a report on their website describing the technical details of the malware. ESET also shared a major chunk of information with an American Integrated Computers (ICS) cybersecurity company Dragos which verified the findings of ESET and published a report their after.
The malware is named ‘Industroyer’ in the report released by ESET.
However, the American cybersecurity company Dragos has named it ‘CRASHOVERIDE’.
The CRASHOVERIDE is said to be an ICS-tailored malware which points out to the fact that it’s devastating capabilities is not pointed out towards a particular vendor. Instead the malware is said to have been made in such a way that it can be readily fabricated or tweaked by adding protocol modules to infect any of the electricity grids located in the U.S, Europe, some parts of the Middle East and Asia.
There are some non-conclusive evidences that points out to the fact that the malware was used in the Ukraine power grid attacks 2015. The non-conclusive evidences include compilation dates and other such data that does provide some kind of vague insights of the origin of the malware.
The ‘Industroyer’ or ‘CRASHOVERIDE’ has been categorized as the fourth ICS-tailored malware strain. The others that have made it to be a part of this strain of malware are Havex, used mainly against organizations in Europe, BlackEnergy, used in the December 2015 Ukraine power grid attacks, Stuxnet, used in the 2010 attack targeting Iranian nuclear facilities.
The analysis conducted by Dragos relates the Ukraine electricity grid attacks 2015 and 2016 and concludes that although the codes involved in both the attacks are not similar, there are some components of the malware that are identical in concept.
In the report released by Dragos they have discussed two attack scenarios that could cause a major outage and damage a targeted electricity grid.
The two theoretical attack scenarios are mentioned below:
Scenario 1:
The malware in this theoretical scenario can be used to open closed electricity breakers. These breakers essentially play the role of a circuit breaker that protects the electricity circuits from damage caused by excessive load of electricity. So these breakers which are integrated with electricity grids are meant to stop the flow of electricity after a major fault is detected.
Now, getting back to the scenario, once the malware opens the closed breaker, a major disruption is caused. This disruption in the flow of electricity can be retracted and normalized by closing the breakers again (this is done by the operators of the electricity grids with the help of a Human Machine Interface (HMI) which plays the role of operator controls and a monitoring system).
However, the malware that has already infected the HMI plays its part and creates an infinite loop to open the closed breakers. By executing special arbitrary commands the malicious actor also succeeds in defying access to the breakers when accessed through a HMI by the operators.
Such a scenario would further force the operators of the station to manually try to bring back the grid to life, causing a major electricity outage that might last for a few hours.
Scenario 2:
In this scenario the attacker could create an infinite loop that would constantly close and open the breakers. This would trigger a caution alarm that would dispatch the command to initiate the protection procedure causing the electricity grid to go offline.
What makes the situation even more devastating is that if such an attack is initiated against multiple sites simultaneously it could cause major disruption for a few days.
Components of Industroyer Discussed in the Published Report:
Main Backdoor:
The backdoor component of the Industroyer is said to be its core component. It is essentially used by the attackers to control all the other components of the malware. The backdoor component is built to establish communication with a C&C server via Tor network.
The communication between the C&C server is also said to be established using a secure HTTPS. Another important aspect of the backdoor component is that, it can be built to operate during a specific time period during which the malicious activities can be least detected.
Additional Backdoor:
The additional backdoor offers a legitimate platform ensuring continuity of the attack. In short it acts as major component of a backup plan just in case the main backdoor is detected and shut down.
The additional backdoor also deploys a trojanized version of the Windows Notepad Application. When the codes mentioned in the notepad is inserted and decrypted, it connects to a C&C server which is different to the one which the main backdoor connects to and further downloads the payloads.
Data Wiper Component:
The Data Wiper Component is built to fuel the much needed energy required in the final stages of the attack.
This component helps in clearing the tracks of the attackers that could make the lives of the people initiating the recovery process miserable.
So all in all, the Data Wiper Component helps in erasing registry keys and overwriting ICS configuration and Windows files.
Payloads Component:
The payload components of the malware basically include the following:
- 101 payload component
- 104 payload component
- 61850 payload component
- OPC DA payload component
The payloads have been programmed to enable the malicious actors to gain control over the leverage industrial communication protocols and the circuit breakers.
This is also a proof of the fact that the developers of the malware have an elaborated understanding of how the industrial network communications work and are executed.
Launcher Component:
The launcher component basically executes the launch of the Data Wiper Component and the payloads.
Additional Tools: DoS Tool & Port Scanner Tool
Among the other tools tagged with the Industroyer malware is the port scanner and denial-of-service (DoS) tool that is built to exploit the vulnerability (CVE-2015-5374) in Siemens SIPROTEC. The Siemens SIPROTEC is used to protect. control and measure applications in electric energy systems. When the exploit is initiated the Siemens SIPROTEC becomes unresponsive causing the protection nodes to fail.