New malware identified in power industry

European malware researchers have uncovered new malicious software targeting grid industrial control systems.
Published: Wed 14 Jun 2017

It has only been six months since the last big hacking attack that caused a blackout in Kiev, Ukraine, and already, security researchers are warning the power industry that another is waiting in the shadows.

Researchers have uncovered malware, dubbed ‘Industroyer’ and ‘Crash Override’ which could have devastating effects. The discovery of another malware points to the vulnerability of critical infrastructure.

Virus targets industrial control systems

Industroyer, analysed by the researchers from Slovakia-based anti-virus software outfit ESET, and the US’s Dragos, a group that deals with critical-infrastructure security, is only the second known case of a virus developed to disrupt industrial control systems. The first one was Stuxnet which managed to sabotage the Iranian nuclear programme.

According to ESET and Dragos, the malware is the same used in the Ukraine incident in 2016.

The Industroyer virus could attack electricity substations and circuit breakers using industrial communication protocols which are standardised across a number of types of critical infrastructure – from power, water and gas supply to transportation control.

Anton Cherepanov, a Senior Malware Researcher at ESET, the Industroyer protocols were designed decades ago when industrial systems were meant to be isolated from the outside world. He explains in a company press release: “Their communication protocols were not designed with security in mind. That means that the attackers didn’t need to be looking for protocol vulnerabilities; all they needed was to teach the malware ‘to speak’ those protocols.”

That allows it to attack multiple types of critical infrastructure with only small changes. Attackers could adapt the malware to any environment, explains Cherepanov, “which makes it extremely dangerous”.

Andrew Clarke, of security firm One Identity, said: “This is as scary as it sounds. First, it’s very difficult to detect because it uses known and allowable code yet in nefarious modes."

Industroyer can cause blackouts automatically and over and above its attack functions, it can damage the control PC itself, leaving it unbootable which could lengthen the time of a blackout.  

Industrial environments exposed to virus

As with the WannaCry virus, it is possible to fix the risk posed by Industroyer before it leads to disaster – but to do so will be costly and very time consuming, explains Paul Elon, a director at cybersecurity firm Tripwire: “Due to economic pressures, it has become necessary for many organisations to centralise some of the management and control functions that would have previously been local to industrial plants, refineries, and distribution facilities.

“This centralisation has meant expanding the reach of the enterprise network into the industrial environment, and in doing so exposing those industrial environments to levels of cyber risk for which they were neither secured nor designed.”

The US Department of Homeland Security said it was investigating the malware although there is no evidence to suggest it has infected US critical infrastructure.

No specific attribution for the Kiev attack has been confirmed, but the Ukrainian government has blamed Russia, as it did for similar attacks in 2015. Officials in Moscow are denying responsibility.

Strengthen your defences

The research undertaken by ESET and Dragos highlights the growing need for governments around the world to strengthen their defences against damaging cyberattacks that can cause widespread disruption to critical infrastructure.

Terry Ray, Chief Product Strategist at Imperva, said in a statement:“We are beginning to see an uptick in infrastructure attacks and in the case of Industroyer, the attackers seem to have extensive knowledge about industrial control protocols.

"Since the industrial controls used in the Ukraine are the same in other parts of Europe, the Middle East and Asia, we could see more of these attacks in the future. And while these attackers seem to be content to disrupt the system, it’s not outside the realm of possibility that they could take things a step further and inflict damage to the systems themselves.”