Some cyberattacks take a device offline, some take companies offline, and some take entire power grids down. Now, the potential for the latter exists, as a new malicious software has emerged that is capable of causing power outages by ordering industrial computers to shut down electricity transmission. It’s named Crash Override, or Industroyer, and it’s actually the original malware responsible for the Ukrainian power outage back in December.
Apparently, the December attack, which took out an electric transmission station north of the city of Kiev, blacking out a portion of the Ukrainian capital for an hour, was maybe just an initial test. Now, the hackers appear to be testing the most evolved variant of the grid-infecting malware observed yet. This version is said to be capable of causing outages of up to a few days in portions of a nation’s grid.
How exactly does it work? Though the attack vector has not been confirmed, the infection is reported to start with phishing emails. The malware attacks Microsoft Windows systems only and then tries to communicate to ICS devices using four different payloads across four ICS protocols:
IEC 60870-5-101 (aka IEC 101)
IEC 60870-5-104 (aka IEC 104)
OLE for Process Control Data Access (OPC DA)
Once inside, the malware installs a second backdoor, which is a trojanized version of Windows Notepad. The purpose of this second backdoor is to act as backup in the chance that the main backdoor is discovered, as well as to survive reboots.
Additionally, the threat actors used a custom DDoS tool that exploited a flaw, classified under CVE-2015-5374, to render Siemens SIPROTEC devices unresponsive. They also used a custom port scanner to map the target’s network and a custom data wiper to make the infected Windows devices crash and to complicate incident response for IT security analysts.
What next? The good news is: known malicious samples are detected with a minimum DAT of 8568 for VSE and Web Gateway or 3019 for ENS. Plus, Microsoft has patches available. Make sure to keep Windows systems and ICS devices up to date. Additionally, the malware can be detected if utility companies monitor their networks for abnormal traffic, including looking for signs that the malware is searching for the location of substations or sending messages to switch.