Industroyer – Crash Override (2016)
|Date||17–18 December 2016.|
|Suspected actor||The cybersecurity firm Dragos Inc. has attributed the cyber-attack to ELECTRUM. According to Dragos, ELECTRUM is a threat activity group of high competence and sophistication in the ICS industry that is directly associated with SANDWORM. In a more recent analysis, ESET has also suggested a strong link between the “Industroyer” malware and the TeleBots group that was behind the “NotPetya” and “BlackEnergy” incidents.|
|Target||Pivnichna substation of Ukraine’s national power company (Ukrenergo), located near the Ukrainian capital Kiev.|
|Targeted System||Industrial control systems (ICS) of the power substation.|
|Method||Unlike the 2015 attack on Ukraine’s power grid, in which the substation was manually switched off after gaining access to the power grid’s networks, the Industroyer attack in 2016 was fully automated. The functionality of this malware was described as a “logic bomb” that could detonate at a time of the attackers’ choice. Similarly to Stuxnet, Industroyer could be programmed to run independently from its operators and function in a network that is not connected to the internet.
The attackers initially infiltrated the substation by exploiting a vulnerability in Siemens SIPROTEC 4 and SIPROTEC Compact devices, allowing the malware to create a backdoor after gaining access into the industrial system. In addition to making a copy of the main backdoor, the malware also made one of a backup backdoor, imitated as a “Trojanized” version of Windows Notepad, that would be activated if the first version was uncovered, thus enabling the malware to remain persistent. Then the malware aimed at the industrial hardware, namely the circuit breakers and protection relays of the substation.
The execution of the attack was not immediate; instead, the blackout took place later at a time and date that was pre-set and hidden within the malware’s code. At that pre-defined moment, the malware’s payload was activated to take control over the circuit breakers and protection relays commanding them to open the circuit breaker switches. In order to boost the attack and ultimately crash the system, the malware also initiated, first, a denial-of-service tool that targeted and deactivated protection relays and, second, a data wiper tool that scanned workstation hard drives for specific file extensions related to the targeted software and then removed them to prevent recovery.
|Purpose||The real purpose of the attack remains unclear. There are concerning scenarios regarding the potential capabilities of the Industroyer, which are not limited to electricity blackouts that could last for up to several days but could even extend to causing physical damage. According to Dragos, such potential capabilities of the malware and its functionalities which were not fully exploited could be a good reason to believe that the 2016 power grid attack may have been just a proof of concept attack.|
|Result||Blackout that left a part of the Ukrainian capital Kiev and its surrounding area without electricity for more than one hour. The power loss at the time of the cut was estimated as one-fifth of Kiev’s consumption.|
|Aftermath||Although it did not attract as much attention as the 2015 attack, the malware used in the 2016 attack has been described as far more dangerous for being so advanced, customizable and highly adaptable to any environment. ESET has described Industroyer as the biggest threat to ICSs after Stuxnet.
Because Ukraine uses similar industrial technologies for its power grid to those commonly used around the world, this incident has raised serious concerns around the world, and some experts have described it as a wake-up call for reviewing and updating the cybersecurity of industrial and critical infrastructure worldwide.
In 2017, Ukrenergo introduced a reform aimed at reshaping its IT infrastructure and security; and a cyber incidents response centre was established to prevent threats and minimize the consequences of future cyber attacks. Dragos issued an industry report specifying indicators of compromise for the malware and included guidance for security teams on how to detect malicious behaviours and set patterns associated with the ICS communications, in addition to intelligence reports containing updates on the threat actor and capability.
|Analysed in||Scenario 03: Cyber operation against the power grid|
Collected by: Alan Haji
- НЕК "Укренерго" - NPC Ukrenergo, official statement (18 December 2016). See also BBC News, ‘Ukraine power cut 'was cyber-attack'’ (11 January 2017); The National Radio Company of Ukraine, ‘Ukraine power cut 'was cyber-attack'’ (11 January 2017).
- Robert M. Lee, ‘CRASHOVERRIDE: Analyzing the Malware that Attacks Power Grids’ (Blog 12 June 2017).
- Dragos Inc., ‘Electrum’ (2017).
- Anton Cherepanov and Robert Lipovsky, ‘New TeleBots backdoor: First evidence linking Industroyer to NotPetya’ (11 October 2018).
- Dragos Inc., ‘CRASHOVERRIDE: Analysis of the Threat to Electric Grid Operations’ (13 June 2017).
- Andy Greenberg, ‘'Crash Override': The Malware That Took Down a Power Grid’ (12 June 2017).
- Charlie Osborne, ‘Industroyer: An in-depth look at the culprit behind Ukraine's power grid blackout’ (30 April 2018).
- BBC News, ‘Ukraine power cut 'was cyber-attack'’ (11 January 2017); The National Radio Company of Ukraine, ‘Ukraine power cut 'was cyber-attack'’ (11 January 2017).
- Anton Cherepanov and Robert Lipovsky, ‘Industroyer: Biggest threat to industrial control systems since Stuxnet’ (12 Jun 2017).
- Anton Cherepanov and Robert Lipovsky, ‘Industroyer: Biggest threat to industrial control systems since Stuxnet’ (12 Jun 2017). See also: Kim Zetter, ‘The Ukrainian Power Grid Was Hacked Again’ (10 January 2017); John E Dunn, ‘Ukraine power outages ‘the work of cyberattackers’, warn experts’ (16 January 2017).
- Ukrenergo, ‘UKRENERGO-2017: results of the first reforms’ (2018).