A week before last Christmas on December 17, hackers with suspected ties to Russia took down the electric transmission station north of Kiev city, blacking out a portion of the Ukranian capital for about an hour which was equivalent to a fifth of its total power capacity. The cyber security researchers have now found an advanced malware that may have triggered the blackout as a mere dry run.
Cybersecurity firms ESET and Dragos Inc. plan today to release detailed analyses of a piece of malware used to attack electric utility Ukrenergo seven months ago, what they say represents a dangerous advancement in critical infrastructure hacking. The researchers describe that malware, which they’ve alternately named “Industroyer” or “Crash Override,” as only the second-ever known case of malicious code purpose-built to disrupt physical systems. The first, Stuxnet, was used by the US and Israel to destroy centrifuges in an Iranian nuclear enrichment facility in 2009.
Crash Override is a completely new platform that was far more advanced than the general-purpose tools the same group used to attack Ukraine's power grid in December 2015. Instead of gaining access to the Ukrainian utilities’ networks and manually switching off power to electrical substations, as hackers did in 2015, the 2016 attack was fully automated. It was programmed to include the ability to “speak” directly to grid equipment, sending commands in the obscure protocols those controls use to switch the flow of power on and off. That means Crash Override could perform blackout attacks more quickly, with far less preparation, and with far fewer humans managing it, says Dragos’ Rob Lee.
This discovery is prompting concerns that the attack tools can be used against a broad range of electric grids around the world to sabotage operations including America. The malware is designed to take advantage of the world’s outdated power grids to shut off electricity in entire cities. The malware targets circuit breakers and is able to hijack electrical systems from afar by taking advantage of communication protocols for power supply, infrastructure, transportation controls and water and gas systems used all over the world which can hit more closer to home than email and data breaches.
The researchers say this new malware can automate mass power outages and includes swappable, plug-in components that could allow it to be adapted to different electric utilities, easily reused, or even launched simultaneously across multiple targets. They argue that those features suggest Crash Override could inflict outages far more widespread and longer lasting than the Kiev blackout.
What makes Crash Override so sophisticated is its ability to use the same arcane technical protocols that individual electric grid systems rely on to communicate with one another. The malware’s dangerousness lies in the fact that it uses protocols in the way they were designed to be used. The problem is that these protocols were designed decades ago, and back then industrial systems were meant to be isolated from the outside world. Thus, their communication protocols were not designed with security in mind. That means that the attackers didn't need to be looking for protocol vulnerabilities; all they needed was to teach the malware "to speak" those protocols. As such, the malware is more notable for its mastery of the industrial processes used by global grid operators than its robust code. Its fluency in the low-level grid languages allowed it to instruct Ukrainian devices to de-energize and re-energize substation lines.
As technology grows smarter and helps manage our homes, cities and businesses, it's become a prime target for both criminal and nation-state hackers. ESET security researcher Robert Lipovsky says, “If this is not a wake-up call, I don’t know what could be.”
The cyberattack-caused blackout in Kiev didn't lead to any disasters, but experts warn that it's only a preview of the future of cyber warfare.
Attacks targeting infrastructure can lead to chaos, like when engineers hacked into Los Angeles' traffic signal system and purposely created traffic jams. That makes it the biggest threat to industrial systems.
