Report: Cyberthreat can target electric grids around the world

A sophisticated malware framework that was behind a December 2016 cyberattack on a Ukrainian power grid can be reconfigured to attack just about any grid system in the world, according to a new analysis.

 

What: "CRASHOVERRIDE: Analyzing the Threat to Electric Grid Operations," a new report by Dragos Inc.

Why: Cyberattacks to power and electric systems are one of the nightmare scenarios that keep cybersecurity and IT professionals as well as policymakers up at night. One such attack platform, the malware framework behind the December 2016 cyberattack on a Ukrainian substation, could be adapted to shut down systems all over the world, according to a report from Dragos Inc.

Slovakian firm ESET notified Dragos on June 8, 2017, of malware designed to target industrial control systems, which Dragos was able to confirm was deployed in the attack on the Kiev substation that left nearly a quarter-of-a-million people without power for six hours.

Dragos further determined that the malware was not designed specifically for that attack, but is in fact an adaptable framework that "leverages knowledge of grid operations and network communications." Therefore, it can be adapted to different protocols, systems and vendors and could target multiple sites at once, the report says.

Although Dragos states outages would not be catastrophic, they could still last for days as the malware, dubbed CRASHOVERRIDE, can override and wipe ICS files.

Dragos, while not making any direct attribution to any nation state, says that an adversary group behind CRASHOVERRIDE has "direct ties" to a team identified as a Russian hacking group.

Dragos believes that CRASHOVERRIDE is an evolution of previous malware frameworks that were designed to infiltrate and study various industrial control systems. It points to the Dragonfly and BLACKENERGY 2 campaigns that adversaries used to conduct ICS espionage.

The 2016 cyberattack in Ukraine could have been much worse, says Dragos, and the attack appears to have been a "proof of concept" of the malware.

The Dragos report goes into deep technical detail about the various modules of CRASHOVVERIDE, how they interact and how they can be identified.

In addition to outlining the malware components, Dragos offers recommendations to reduce the attack surface and increase resiliency of power systems. It recommends maintaining offline backups of configuration and engineering files, preparing incident response plans, conducting tabletop exercises with all relevant stakeholders and increasing monitoring of the protocols exploited by CRASHOVERRIDE.

Verbatim: "It marks an advancement in capability by adversaries who intend to disrupt operations and poses a challenge for defenders who look to patching systems as a primary defense, using anti-malware tools to spot specific samples, and relying upon a strong perimeter or air-gapped network as a silver-bullet solution. Adversaries are getting smarter, they are growing in their ability to learn industrial processes and codify and scale that knowledge, and defenders must also adapt."