On the 12th of June Dragos and ESET released reports [1,2] and blog posts [3,4] about a malware that targets industrial control systems (ICS) with a focus on electricity grid operators. The malware framework is known as the CRASHOVERRIDE or INDUSTROYER and gained significant media attention during recent days. It is suspected to have been used in the second round of cyber-attacks on Ukrainian grid operators in December 2016, which caused power outages in parts of Kiev.

Contrary to some news in the media, CRASHOVERRIDE does not infect embedded industrial equipment. It targets Windows systems in the SCADA control center and in the substations, that have access to mission critical devices, such as RTUs and protection relays that control switches and circuit breakers.

The basic techniques employed by CRASHOVERRIDE are not new in tradecraft, it is a modular backdoor that connects back to a Command and Control (C&C) server to wait for further instructions. This C&C server is an attacker controlled machine on the internet that is used to manage the infected hosts.

What is new in CRASHOVERRIDE is the ability to load communication modules to communicate over ICS protocols. CRASHOVERRIDE has modules for protocols commonly used by European grid operators, namely:

IEC 60870-5-101
IEC 60870-5-104
IEC 61850
OPC DA

These capabilities are leveraged by the malware to actively scan or passively discover the network for potential control devices (RTUs), then enumerate them looking for registers that control switches and circuit breakers. It can open such breakers and set the RTU in an infinite command loop which prevents operators from remotely shutting them. No vulnerability is exploited on the target device, rather the inherently insecure nature of these industrial protocols are abused.

It should be stressed that CRASHOVERRIDE can only be used once it has been installed on a Windows host in a control center or substation. The malware itself does not provide methods to get to such hosts. Instead, an initial compromise must be carried out by other vectors such as phishing campaign, followed by a lateral movement towards the SCADA system. Utilities should try to stop an attack in these earlier stages, before CRASHOVERRIDE can be used.

Grid operators can defend against CRASHOVERRIDE using the recommended best practices in segregating the SCADA networks from IT networks. US-CERT [5], Dragos [6] and ESET [7] also provide detection rules and indicators of compromise. Although the immediate threat of CRASHOVERRIDE is not prominent, the fact that certain groups are actively developing and testing cyber capabilities to interfere with the operation of the electricity grid should not be treated easily. It signals an alarming shift in the threat landscape of such systems.

References:

[1] https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
[2] https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
[3] https://dragos.com/blog/crashoverride/
[4] https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/
[5] https://www.us-cert.gov/ncas/alerts/TA17-163A
[6] https://github.com/dragosinc/CRASHOVERRIDE
[7] https://github.com/eset/malware-ioc/tree/master/industroyer