Dragos, Inc. was notified by the Slovak anti-virus firm ESET of an ICS tailored malware on June 8th, 2017. The Dragos team was able to use this notification to find samples of the malware, identify new functionality and impact scenarios, and confirm that this was the malware employed in the December 17th, 2016 cyber-attack on the Kiev, Ukraine transmission substation which resulted in electric grid operations impact. This report serves as an industry report to inform the electric sector and security community of the potential implications of this malware and the appropriate details to have a nuanced discussion.
- The malware self-identifies as “crash” in multiple locations thus leading to the naming convention “CRASHOVERRIDE” for the malware framework.
- CRASHOVERRIDE is the first ever malware framework designed and deployed to attack electric grids.
- CRASHOVERRIDE is the fourth ever piece of ICS-tailored malware (STUXNET, BLACKENERGY 2, and HAVEX were the first three) used against targets and the second ever to be designed and deployed for disrupting physical industrial processes (STUXNET was the first).
- CRASHOVERRIDE is not unique to any particular vendor or configuration and instead leverages knowledge of grid operations and network communications to cause impact; in that way, it can be immediately re-purposed in Europe and portions of the Middle East and Asia.
- CRASHOVERRIDE is extensible and with a small amount of tailoring such as the inclusion of a DNP3 protocol stack would also be effective in the North American grid.
- CRASHOVERRIDE could be leveraged at multiple sites simultaneously, but the scenario is not cataclysmic and would result in hours, potentially a few days, of outages, not weeks or more.
- Dragos assesses with high confidence that the same malware was used in the cyber-attack to de-energize a transmission substation on December 17, 2016, resulting in outages for an unspecified number of customers.
- The functionality in the CRASHOVERRIDE framework serves no espionage purpose and the only real feature of the malware is for attacks which would lead to electric outages.
- CRASHOVERRIDE could be extended to other industries with additional protocol modules, but the adversaries have not demonstrated the knowledge of other physical industrial processes to be able to make that assessment anything other than a hypothetical at this point and protocol changes alone would be insufficient.
- Dragos, Inc. tracks the adversary group behind CRASHOVERRIDE as ELECTRUM and assesses with high confidence through confidential sources that ELECTRUM has direct ties to the Sandworm team. Our intelligence ICS WorldView customers have received a comprehensive report and this industry report will not get into sensitive technical details but instead focus on information needed for defense and impact awareness.
Siehe auch First known hacker-caused power outage signals troubling escalation, Gefährliche Cyberwaffe schaltete Stromnetz von Kiew aus, Studie Digitaler Stillstand: Die Verletzlichkeit der digital vernetzten Gesellschaft – Kritische Infrastrukturen und Systemperspektiven