Modular malware menaces mains grids

Researchers are warning that the strain of malware behind the widely-publicised 2016 power outage in Ukraine could be used against industrial control systems worldwide.

Source: ESET

The malware used in the attack, which disrupted an electricity substation in the capital of Kiev, is thought to be the first to be specifically tailored to mains grids. 

It is the second strain of malware known to have been successfully used against industrial control systems after Stuxnet, which was deployed against a nuclear fuel enrichment facility in Iran in 2010.

Security vendors ESET and Dragos worked together to analyse samples of the malware captured in the Ukraine attack, which the pair have named W32/Industroyer [pdf] and CrashOverride [pdf] respectively.

In the 2016 Ukraine attack, Industroyer was able to directly control switches and circuit breakers, using industry standard device communications protocols.

This is unlike the 2015 attacks against the mains grid in Ukraine, which used the BlackEnergy malware to gain access to systems and legitimate commands, and plant destructive applications inside computers, causing blackouts in the country.

Industroyer is modular and supports four International Electrotechnical Commission protocols used in Europe and the Middle East.

As the malware is extensible, it is possible to add North American mains grid control protocols as well - the security vendors said the malware can be deployed against multiple targets.

The malware is only capable of causing hour- or day-long outages because mains grids are "robustly designed" and encompass "failure modes and operations [that] can normally compensate," Dragos said.

Apart from controlling switches, Industroyer can also perform denial of service attacks against Siemens-made relays, wipe data on Windows computers and Asea Brown Boveri ICS devices, and provide remote access via a backdoor feature.

It does not contain any espionage features.

Neither ESET nor Dragos directly identified the culprits behind Industroyer, but said it was likely a hacking group codenamed Electrum. 

Electrum may be the same group as Sandworm, which was behind the 2015 mains grid attacks in Ukraine, and is thought to have ties to Russian intelligence agencies.