In December 2016, Ukraine's power grid was hit by an unprecedented malware attack. Parts of Kiev were subjected to total darkness. The attack lasted no longer than an hour, only a brief glimpse into a new, early-stage cyber weapon. It was the first-known case of malware designed to specifically target electrical grid systems. Now, it has evolved to a new level of potency – and is out in the public domain.
Security firm Dragos named the malware responsible for the attack 'Crash Override', stating in a blog that it "represents alarming tradecraft and the ability to disrupt operations". The attack on Ukraine was just a small-scale preview of its full potential. Since then it has acquired new features, a blend of never-before-seen and traditional cyber infiltration techniques.
Override's main features consist of an advanced backdoor process, allowing it to gain access to an infected system and a loader module through which to input code, and individual payload packages for different demands.
When it penetrates an electrical grid system through a backdoor, Crash Override utilises the same technical protocols individual grid systems use to communicate with each other. It has no espionage purpose and is designed not to delete, but to destroy.
Once in control, it can initiate its own commands, instructing certain parts of the grid to power up or shut down across substation lines. It functions by opening circuit breakers on RTUs before forcing them into an infinite loop – keeping circuit breakers open even if grid operators try to shut them down.
Remote Terminal Units (RTUs) are the devices that act as an interface between the physical world and electrical distribution systems. Manipulating these RTUs can lead to energy loss in targeted areas, as emphasised by the program's code.
Analysis by anti-virus firm Eset found a number of instances of 'crash.dll' in the malware. The specialised attack system has features that lend it to subverting at least four international grid line protocols that are currently in use across the world – meaning that it can easily be re-purposed in Europe, portions of the Middle East and North America, as well as Asia.
Analysts at Dragos say that "many elements of the [2016] attack appear to have been more of a proof of concept than what was fully capable in the malware," as opposed to the latest iteration of Override. It appears to have been developed to adapt based on past malware attacks. It understands industry protocols, as STUXNET did, and uses HMIs to connect to internet-connected locations when possible as BLACKENERGY 2 demonstrated.
Large-scale attacks on power grids could have devastating repercussions. They supply hospitals with energy, homes with heating and light and maintain the infrastructural integrity of everyday life. Override has the potential to worm its way into these systems and commandeer control.
While Override-induced power outages have not been seen to last for weeks or months, they do have the capacity to run for hours or even days. For this reason, Override has earned itself the nickname "Industroyer".
The new techniques that make Override so powerful are a combination of old and new malware attributes, both Industrial Control Systems (ICS) protocol stacks and non-ICS specific commands. Once it is embedded in power plant systems, it works to report incorrect information to systems analysts, impeding their troubleshooting capacity. Furthermore, it uses underlying software vulnerabilities to neutralise protective systems.
It has been shown to exploit Siemens vulnerability controls, hitting the system from multiple angles before it finds a weak-spot in grid systems. While this could be avoided with a software patch, it demonstrates that Override doesn't just use one method of systems exploitation, but a multi-pronged attack.
The difficulty in tracking the source of Override hacks is also significant. The command servers behind the attack can be hidden and Override uses a data wiper that allows attackers to destroy their traces.
Once detected, even the removal of Override from power systems is complicated. It uses a spare backdoor function, meaning that even once the primary backdoor and source of infection has been removed, Override can still lurk within the system to retain control, effectively creating its own backdoor.
Dragos describes this as a "sophisticated" design, as it can work from basic grid communications without needing specific site details.
"There are concerning scenarios in how this malware can be leveraged to disrupt grid operations that would result in hours of outages at targeted locations leading into a few days if done at multiple sites," analysts at Dragos wrote in their report.
"However, it is important to know this is not a catastrophic scenario; there is no evidence the ELECTRUM actors could use CRASHOVERRIDE to do more than a few days of outages, and even to get a few days, would require the targeting of multiple sites simultaneously which is entirely possible but not trivial."
Even in the event of an Override infection, there is the option to divert power manually. While this takes time, it is still a fail safe against this new breed of cyberattack.
This article was originally published by WIRED UK
