Miscreants deploying Industroyer malware can turn off power or interfere with operations.
Miscreants deploying Industroyer malware can turn off power or interfere with operations.

Security researchers at ESET have been examining malware samples that can knock off power, similar to what was done to the residents of Kiev in December 2016.

The malware, dubbed Win32/Industroyer by the ESET team, can wreak the same damage as the type of malware that affected the electric power grid in the Ukrainian capital, according to a post on the company's We Live Security blog. The malware that hit the Ukraine might well have been a beta test, portending a larger attack to come, the researchers said. And, as the malware could be refitted to go after other varieties of critical infrastructure, it might well be the biggest threat to industrial control systems since Stuxnet, they claimed.

Industroyer is a significant threat, they explained, as it can gain control of electricity substation switches and circuit breakers used around the world in industrial communication protocols in use in power supply infrastructure. 

Miscreants could therefore manipulate the switches and circuit breakers to turn off power or interfere with operations. The problem, said the researchers, is that the underlying protocols used for this hardware was designed decades ago – when controls were isolated, long before they were tethered to the internet.

And, Industroyer exploits these protocols in a manner precisely as they were designed to be used.

The December 2016 cyberattack in the Ukraine followed an earlier infiltration of the nation's electrical grid distribution network. In that incident, in 2015, the attackers employed BlackEnergy malware, as well as KillDisk and a number of other malicious components, to cripple legacy remote access software used at operator workstations. The attackers succeeded in shutting off power.

But, the ESET researchers explained, the coding of BlackEnergy is dissimilar to Industroyer. The newer code is modular malware, they said. "Its core component is a backdoor used by attackers to manage the attack: it installs and controls the other components and connects to a remote server to receive commands and to report to the attackers."

Its use of four payload components sets it apart from previous malware used to target critical infrastructure. This iteration can "gain direct control of switches and circuit breakers at an electricity distribution substation." 

The coding shows that those behind it have a comprehensive understanding of the technology used in industrial control systems, ESET wrote. Further, obfuscation strategies significantly disguise its workings – such tricks as hiding the C&C server in Tor, the use of a backdoor, and a wiper module that can "erase system-crucial Registry keys and overwrite files to make the system unbootable and the recovery harder."

In short, because of its flexibility, Industroyer can be adapted to target any industrial control system using some of the targeted communication protocols.

The ESET team admitted that without access to the components themselves their ability to verify for certain what coding was used in the attacks on Ukraine's power grid is tentative, but based on their analysis, they concluded that it was "highly probable" that the malware used in the December 2016 attack in the Ukraine was Industroyer.

But, ESET is not the only research team looking into the malware. Other teams have dubbed it CrashOverride.

In an article in Monday's Washington Post, the group behind the malware has been identified by cybersecurity firm Dragos as Electrum. The firm claimed "with high confidence" that this group used the same computer systems as did the hackers behind the attack on the Ukraine electric grid in 2015. That attack was believed to have been carried out by hackers contracted by the Russian government, according to American researchers – in the private sector, not the government.

All the researchers agreed that the malware demonstrated a high degree of sophistication. Owing to its ability to persist within the operations of a power grid to gather data to adjust its payload capabilities, it could be customized for use in any number of power grid systems. 

It's highly dangerous, the ESET team warned, and whether the recent attack in the Ukraine was a test run or not, the malware's potency should be a concern for security professionals around the world charged with protecting such critical infrastructures.

Other experts agree about the imminent threat posed by Industroyer. 

“After years of working closely with global power generators, we have seen that network communications across grids are usually very stable and that once baselined, it's possible to detect anomalies," Andrea Carcano, co- founder and chief product officer for Nozomi Networks, told SC Media on Monday. "Unusual messages using regular power system communication protocols can be identified and flagged, and action can be taken on them before an outage occurs."  

The implications of Industroyer malware is significant, Carcano added. "Unlike Stuxnet, which was designed to attack a particular uranium enrichment plant, this malware is broad-based and could affect power grids in many countries."

His recommendation is for electric utilities to monitor and improve their cyber resiliency programs, including implementing real-time ICS cybersecurity and visibility solutions.

But not all industry observers believe the threat is as significant as ESET and others claimed.

"With all of the buzz around Industroyer being 'the next Stuxnet,' you'd think it was one of the most sophisticated threats out there, but with no zero-days in the Industroyer payload, the significance of this malware as a stand-alone event is small," John Chirhart, federal technical director at Tenable, told SC Media on Monday.

"Security for critical infrastructure assets like industrial control systems is important, but we need to remember that malware like Industroyer, or WannaCry, represent the new normal of today's fast-paced security environment and require a different approach. There's no way to be strategic about your security if you're always reacting to the threat of the day," Chirhart said.

As cloud and IoT break down the distinction between operational technology (like ICS/SCADA) and information technology (like laptops and mobile devices), most security vendors have failed to innovate at the rate of change, Chirhart said, so the convergence of modern IT and OT computing assets is leaving customers struggling to discover and secure all of the devices on their networks.

"Single use “best of breed” security products are no longer enough," Chirhart said. "CISOs need a unified view from a single platform that can draw on active, passive and agent scanning to see everything – from containers to MRI machines."

Stop chasing the latest headline-breaking threat, he added, and instead implement a strategic and agile security program to proactively manage cyber risk for the modern enterprise. "That's what separates a world-class cyber organization from a mediocre one."