KIEV, UKRAINE – Security researchers have recently discovered that a new malware strain was responsible for shutting down a large area of Kiev’s power grid back in December of last year. Referred to as “Industroyer,” or “CrashOverRide,” the malware was specifically designed to target critical industrial control systems, according to reports.
Ukraine was hit with a separate cyber-attack aimed at shutting down power supplies in December of 2015 – another malware named “BlackEnergy” – and the two incidents are not to be confused. Researchers from ESET and Dragos state that Industroyer appears to have been created from scratch, and does not share code with BlackEnergy.
Industroyer is apparently the largest threat of its kind, and represents a hazardous advancement in infrastructure hacking. A report from The Hacker News (THN) brings to attention Stuxnet, “the first malware allegedly developed by the US and Israel to sabotage the Iranian nuclear facilities in 2009.” For any nation that uses nuclear power, the implications are obvious.
THN continues that unlike Stuxnet, Industroyer doesn’t exploit “zero-day” software vulnerabilities, but instead relies on four industrial communication protocols that are used worldwide. The new malware can control electricity substation switches and circuit breakers that permit the attacker to easily turn power distribution off, and the ensuing cascade of failures can potentially cause additional equipment damage.
One ESET researcher explains:
“Industroyer payloads show the authors’ in-depth knowledge and understanding of industrial control systems. The malware contains a few more features that are designed to enable it to remain under the radar, to ensure the malware’s persistence, and to wipe all traces of itself after it has done its job.”
It should quickly be clarified that in total, four different malwares of this sort have been discovered; Industroyer, BlackEnergy, Stuxnet, and another called Havex. And while Stuxnet and Industroyer were designed only for sabotage, BlackEnergy and Havex were meant for espionage.
According to Dragos analysis:
“The functionality in the CrashOverRide [Industroyer] framework serves no espionage purpose and the only real feature of the malware is for attacks which would lead to electric outages.”
The analysis suggests Industroyer can cause power outages far more widespread and longer lasting than the one Kiev suffered last December, and both government authorities and grid companies have been made aware of the threat. It is believed that the 2016 Kiev attack was conducted by a group of state-sponsored Russian hackers known as the “Sandworm Team.”