Researchers warn of ‘biggest cyber threat’ to power grids since Stuxnet
Image credit: Pexels
Ukraine may be being used as testbed in preparation for wider attacks worldwide, identifiers of malicious software warn
Attackers deploying sophisticated and sinister-named malware could be flexing their muscles in Ukraine ahead of wider attacks on power networks elsewhere in the world, experts claim.
ESET, a Slovakian anti-virus software maker, and Dragos Inc, a US critical-infrastructure security firm, released details of newly documented malware known as Industroyer or Crash Override.
They had earlier issued private alerts to governments and network operators informing them of the threat.
The US Department of Homeland Security has said it is investigating the malware and saw no evidence to suggest it has infected US critical infrastructure, news agency Reuters reported.
ESET says it is “very probable” that the malware it has identified was used to effect a power outage in Ukraine late last year. The ex-Soviet state has been hit by a series of mysterious electricity outages that have been blamed by some private-sector security researchers on hackers linked to the Russian government.
Industroyer’s dangerous nature arises from its ability to give hackers control over electricity substation switches and circuit breakers. As its name suggests, the malware is designed to disrupt critical industrial infrastructure.
It is being described as the biggest threat to the systems used to control power networks since the Stuxnet computer worm that wreaked havoc on Iran’s nuclear programme by causing centrifuges to spin out of control. That particular ‘digital weapon’ attack was widely attributed to the US and Israel and threw into sharp relief the new world of cyber warfare between enemy nation states.
The most recent publicly documented cyber attack on the power grid in Ukraine was in December 2016. The incident came almost exactly one year after a highly publicised breach that caused a blackout impacting on around 250,000 households in several regions in the country on 23 December 2015.
In a blog post, IT security researcher Anton Cherepanov described Industroyer as “highly customisable malware” that could also be used to attack other types of industrial control systems.
He added: “Regardless of whether or not the recent attack on the Ukrainian power grid was a test, it should serve as a wake-up call for those responsible for security of critical systems around the world.”
Dragos founder Robert M Lee said the malicious software was capable of attacking power systems across Europe and could be leveraged against the US with only “small modifications.”
Andrew Clarke from information security firm One Identity said of Industroyer: “Unlike Stuxnet, it does not appear to be built for a specific attack. It is modular, automated and appears to be configurable to target different types of industrial systems – so far electrical power grids.
“It was likely used to close down the power grid in parts of Kiev in December 2016. In order to launch an attack however, the malware does need to scan the target network, and it is the scanning – seen as unusual network traffic – that can alert administrators to its presence.”
Industroyer is thought to get inside the network by taking advantage of longstanding vulnerabilities including weak encryption keys. One component is a denial-of-service tool that exploits a well-known vulnerability in some Siemens devices.
In a paper about the software, ESET describes Industroyer as a highly sophisticated digital weapon that attackers evidently went to “great lengths” to create.
It contains several “payload components” and attackers utilise a custom-made port scanner to map the network to find computers relevant to their attack
Discussing power networks at an information security event in London this month, Tim Erlin from the company Tripwire told E&T: “One of the things we generally have to acknowledge is that the most common causes of outages are still things like weather, natural disasters, human error and, in the US, squirrels.
“But on the information security side of things, people are really worried about external attackers, usually foreign nation state actors or terrorists, finding a vulnerability and compromising the electric grid in a way that allows them to shut off power.
“Shutting off power all by itself is a significant consequence. Shutting off power in coordination with some other event is an even bigger deal. So the idea is that if I can control that electric grid, and if I have some other thing that I am trying to accomplish, I can now actually worsen the impact of that other event.
“It’s all about reliability. It is just a matter of assessing how to mitigate those threats appropriately, and the threat from cyber-attack has certainly increased.
“There are also trends. One is the actual change in the threat environment itself. There are more groups of people interested in carrying out these types of attacks. Then there is the technology side: more of these systems are connected to the internet or to networks in some way that makes them vulnerable and available for attack.”