The experts published a detailed analysis of the malware, they speculated the malicious code has been involved in the December 2016 attack on an electrical substation in Ukraine.
“Win32/Industroyer is a sophisticated piece of malware designed to disrupt the working processes of industrial control systems (ICS), specifically industrial control systems used in electrical substations.
Those behind the Win32/Industroyer malware have a deep knowledge and understanding of industrial control systems and, specifically, the industrial protocols used in electric power systems” states the report published by ESET.
ESET shared some data with ICS security firm Dragos that tracked the malware as CRASHOVERRIDE and the threat actor responsible for the campaign as ELECTRUM.
Industroyer is a sophisticated modular malware that includes several components such as a backdoor, a launcher, a data wiper, at least four payloads, and many other tools. The experts focused their analysis on the payloads (IEC 60870-5-101 (aka IEC 101), IEC 60870-5-104 (aka IEC 104), IEC 61850, OLE for Process Control Data Access (OPC DA)) the core components of the malware in the attacks that allow controlling electric circuit breakers.
The Industroyer backdoor allows attackers to execute various commands on the targeted system, the C&C server is hidden in the Tor network and it can be programmed to be active only at specified times, making hard its detection.
The backdoor installs the launcher component, which initiates the wiper and the payloads, it also drops a second backdoor disguised as a trojanized version of the Windows Notepad application.
The wiper component is used in the final stage of the attack to hide tracks and make difficult to restore the targeted systems.
The payloads allow the malware to control circuit breakers, it implements industrial communication protocols. Researchers at ESET believe the malware’s developers have a deep knowledge of power grid operations and industrial network communications.
“In addition to all that, the malware authors also wrote a tool that implements a denial-of-service (DoS) attack against a particular family of protection relays, specifically the Siemens SIPROTEC range” continues ESET. “The capabilities of this malware are significant. When compared to the
toolset used by threat actors in the 2015 attacks against the Ukrainian power grid which culminated in a black out on December 23, 2015 (BlackEnergy, KillDisk, and other components, including legitimate
remote access software) the gang behind Industroyer are more advanced, since they went to great lengths to create malware capable of directly controlling switches and circuit breakers”
Both ESET and Dragos collected evidence that suggests Industroyer/CRASHOVERRIDE was involved in the 2016 power outages in Kiev region, which was attributed to Russia state-sponsored hackers.
Researchers at Dragos believes the ELECTRUM APT group is directly linked to the Sandworm APT group, ESET highlighted that while there are no code similarities between the malware used in the 2015 and 2016 attacks in Ukraine, some components are similar in concept.
“The CRASHOVERRIDE malware impacted a single transmission level substation in Ukraine on December 17th, 2016. Many elements of the attack appear to have been more of a proof of concept than what was fully capable in the malware. The most important thing to understand though from the evolution of tradecraft is the codification and scalability in the malware towards what has been learned through past attacks” states the report published by Dragos.
Researchers at Dragos published the description of theoretical attacks, hackers used the Industroyer malware to open closed breakers in an infinite loop, causing the substation to de-energize.
“The command then begins an infinite loop and continues to set addresses to this value effectively opening closed breakers. If a system operator tries to issue a close command on their HMI the sequence loop will continue to re-open the breaker. This loop maintaining open breakers will effectively de-energize the substation line(s) preventing system operators from managing the breakers and re-energize the line(s).” states the Dragos report.
The operators of the targeted facility cannot close the breakers from the HMI, in order to restore the situation they need to interrupt communications with the substation and manually fix the problem.
In another possible attack scenario, hackers initiate an infinite loop where breakers continually open and close, which can trigger protections and cause the substation to shut down.
(Security Affairs – SCADA , Industroyer malware)