Lights Out: Public Utilities Infected with Malware
In 2016 there was a massive power outage in Ukraine. Now officials have finally found out what caused the power outages: malware. This malware was not part of an extortion scheme like WannaCrypt, but rather an attempt at controlling a countries’ infrastructure. The malware was found and analyzed by two companies, ESET and Dragos Inc. ESET is a Slovakian anti-virus software maker and Dragos is a US based infrastructure security firm. The name of the malware program is Industroyer or Crash Override. Ukrainian officials have blamed Russia for the attack, but Russia has fervently denied those claims.
ESET released a warning that Crash Override is a program that could be easily repurposed to do more than shut off power lines. Crash Override could infect and disable nuclear power plants as well as gas or water companies. Areas could lose access to their basic infrastructure, which could then be used as part of a ransomware attack. The US Department of Homeland Security (DHS) echoed ESET’s warning, saying that they have been working to better understand Crash Override so they can protect against it. They even warned that the virus could feasibly infect and disable US based companies and infrastructure.
Dragos, ESET and the DHS have all published warnings on their webpages listing several symptoms to look out for in infected systems. They urge anyone suspecting that their systems have been compromised to contact them at once. Dragos founder Robert Lee believes that Crash Override is posied to attack power stations all over Europe, and for these attacks to be used as leverage against the United States. Lee feels that while the virus could disable portions of a power grid, and for several days, that it doesn’t pose a national level risk. That’s without modifications though, a souped up Industroyer could disable larger portions of the power grid and for longer.
Industroyer/Crash Override is a rare kind of malware, with only one other program being in the same class. That program, Stuxnet, was found in 2010 and is believed to have been developed/used by the United States and Israel against the Iranian nuclear program. What makes these two viruses dangerous is that they work without the need for physical intervention on the hackers part. Most malware programs that attack a utility require the perpetrator to physically be at that location, working with valves or dealing with other physical safeties. Industroyer overrides these, allowing someone from a thousand miles away to cripple a power plant or substation without ever having to be in the country.
Industroyer is difficult to detect, requiring the infected system to be constantly monitoring their traffic. Abnormal traffic volume or destinations is one of the indicators of an infection. This is because the program is trying to find the locations of substations, safeties and other locations for it to wreak havoc in. Another is that the program will physically cause switches to flip, as well as flipping breakers and other safety devices as it tests the limits of its power. This testing makes Industroyer dangerous even while its still in the infection stage, where it is most vulnerable.
Max is a Legal Assistant and author residing in the Philadelphia area He has been writing for AskCyberSecurity.com since early 2017.