Security firms warn of new cyber threat to electric grid

[Batu69]

• Two cybersecurity companies said they have uncovered a piece of malicious software capable of causing outages by ordering computers to shut down electricity transmission.
• Analysis of the malware, known as Crash Override or Industroyer, indicates it was likely used in a December 2016 cyberattack that cut power in Ukraine.

 

 

Two cybersecurity companies said they have uncovered a sophisticated piece of malicious software capable of causing power outages by ordering industrial computers to shut down electricity transmission.

 

Analysis of the malware, known as Crash Override or Industroyer, indicates it was likely used in a December 2016 cyberattack that cut power in Ukraine, according to the firms, Slovakian security software maker ESET and U.S. critical-infrastructure security firm Dragos.

 

The discovery may stoke fears about cyber vulnerabilities in power grids that have intensified in the wake of the December Ukraine attack, and one a year earlier that also cut power in that nation.

 

Ukraine authorities have previously blamed Russia for the attacks on its grid. Moscow has denied responsibility.

Dragos founder Robert M. Lee said the malware is capable of causing outages of up to a few days in portions of a nation's grid, but is not potent enough to bring down a country's entire grid.

 

The firm has alerted government authorities and power companies about the threat, advising them of steps to defend against the threat, Lee said in an interview.

Crash Override can be detected if a utility specifically monitors its network for abnormal traffic, including signs that the malware is searching for the location of substations or sending messages to switch breakers, according to Lee, a former U.S. Air Force warfare operations officer.

 

The sample of Crash Override that was analyzed by Dragos is capable of attacking power operators across Europe, according to Lee.

"With small modifications, it could be leveraged against the United States," he said.

 

Reuters reviewed an ESET technical analysis of the malware provided by the security firm, which they planned to release publicly on Monday. An ESET spokeswoman said the firm's researchers were not available for comment ahead of its release.

 

ESET said in its report that it believed the malware was "very probably" used in the 2016 attack in Ukraine, noting it has an activation time stamp of Dec. 17, the day of the outage.

 

Crash Override is the second piece of malware discovered to date that is capable of disrupting industrial processes, according to Lee.

The first, Stuxnet, was discovered in 2010 and is widely believed by security researchers to have been used by the United States and Israel to attack Iran's nuclear program.

 

Malware has been used in other attacks on industrial targets, including the 2015 Ukraine power outage, but in those cases human intervention was required to interfere with operations, Lee said.

 

Article source

[Ha91]

A brief yet an informative piece. Thank you for sharing this, brother.

[coromonadalix]

well  repetitive infos in the same thread   badly written   did you know it was in Ukraine ???  loll

[tao]

The Malware Used Against The Ukrainian Power Grid Is More Dangerous Than Anyone Thought

 

Researchers have discovered a new powerful—and dangerous—malware that targets industrial control systems.

 

Last December, when attackers hacked a power transmission company in Ukraine and cut electricity to tens of thousands of customers for an hour around midnight, it was considered a less severe assault than one that occurred the previous December. The latter attack cut power to more than 230,000 Ukrainians for one to six hours during peak dinner hours in the dead of winter.

 

But new analysis of malware used in the more recent attack suggests it may be more sophisticated and dangerous than previously believed.

 

Researchers who examined the malicious code say it's a modular toolkit composed of multiple components that have the ability to launch automated assaults against industrial control systems managing the electric grid.

 

The toolkit doesn't exploit software vulnerabilities to do its dirty tricks—the way most malware does—but instead relies on exploiting four communication protocols or standards that are used with industrial control systems in Europe, the Middle East, and Asia, according to the researchers. This means the attackers could use the same toolkit to target systems in these regions, and may already have done so.

 

"There's a ton of functionality in this that was never used in Ukraine," says Robert M. Lee, co-founder of Dragos, a critical infrastructure security company that examined the code. "This suggests it was being prepared for use at multiple sites."

 

With a little tweaking, Lee says the same toolkit would also work against parts of the grid in the US.

 

The malicious toolkit, which is being called Industroyer by the Slovakian antivirus firm ESET and CrashOverride by Lee and his firm, includes two backdoors, which the attackers use to gain persistence on systems (the second one is designed to regain access if the first backdoor is detected or disabled); a wiper component for erasing critical system files to render grid operator stations inoperable; and a port scanner to map infected networks during the reconnaissance stage.

 

Researchers with ESET say Industroyer/CrashOverride is the biggest threat to industrial control systems since Stuxnet, the worm that damaged centrifuges used in Iran's nuclear program back in 2009. But Lee downplays this, saying although the toolkit is a big deal, it's designed to disrupt equipment and service, not destroy equipment the way Stuxnet did.

 

There have only been four malware attacks found in the wild that target industrial control systems: Stuxnet, Black Energy2, Havex and now Industroyer/CrashOverride. BlackEnergy and Havex were designed for espionage; but only Stuxnet and Industroyer/CrashOverride were designed solely for sabotage.

 

The distinction is important because determining the intent of malware is often difficult to do but has important implications for how an intrusion might be viewed under the international laws of war where espionage is not considered a use of force but sabotage is.

 

"Anyone who finds this [on their system] can assume the intention is attack," says Lee. "There is no function in this malware that you could use for espionage. So there is zero reason to position this anywhere where you weren't going to attack."

 

Lee says the malware itself isn't very sophisticated—it has a lot of the same functionality found in other malware attacks. What makes it sophisticated is the extensive knowledge the authors have about industrial control system protocols.

 

"With this [logic bomb] function, you could be looking at a day or two of outages fairly easily."

The heart of the malware are the four ICS-specific modules that operate in conjunction with one another to exploit four protocols known as IEC 101, IEC 104, IEC 61850, and OLE for Process Control Data Access (OPC DA).

 

"What's sophisticated is knowing what protocols to use and in what order," Lee says. "These protocols provide an ability to map out the industrial equipment inside the environment and send commands to [substations] to impact circuit breakers."

 

The malware has to be custom-built for each target using a configuration that is specific to that site, so an attacker couldn't turn it into a worm to attack just any system it encounters. But Lee says this doesn't mean attackers couldn't target multiple sites simultaneously. The toolkit has logic bomb functionality, which means attackers could infect multiple systems to launch a simultaneous attack against them.

 

"A smart adversary could take on portions of a grid and substations, similar to what we saw in 2015, for a couple hours," he says. "But with this [logic bomb] function, you could be looking at a day or two of outages fairly easily. I don't think you could go above that—this wouldn't cause cascading failures."

 

Even so, "you're obviously talking about a complete psychological impact on your human populace that you would not want," he notes.

 

The 2016 attack on Ukraine's power grid, which struck December 17 at a substation outside the capital city Kiev, was believed to be a test for refining attacks on critical infrastructure around the world.

 

Once the attackers installed their backdoor, they stole system and administrator account credentials, which allowed them to move through the network undetected. They sat on the network conducting reconnaissance for months, scanning network traffic and studying the daily behavior of administrators so they could mimic their activity.

 

The malicious toolkit that was used in the attack contained a December 17, 2016 timestamp that activated the protocol components to launch their attack. Lee says the toolkit had the ability to launch a continuous assault on the circuit breakers so that each time operators would try to regain control in order to re-close the breakers, the malware would open them again.

 

"As operators tried to take control, it goes into an infinite loop," Lee says.

 

At this point the wiper module would also get activated and delete system files on operator machine to crash them and prevent them from rebooting. The only way operators could then restore power was to physically switch to manual operation mode at the substation.

 

The attack in 2015 was tied specifically to the model of equipment used at each of the three distribution plants; the attackers had to study the specific equipment those used at the plants and design their attack to target them. But there's no equipment component to this newer attack.

 

"It is directly applicable to every site in Europe, most of the Middle East and most of Asia," he says. The US uses a different communication protocol known as DNP3 (Distributed Network Protocol 3), but this doesn't make it immune to the same kind of assault.

 

"The way this framework is built, it would be very easy to [switch] in a DNP3 module […] and you'd be able to replay this against portions of the US grid," he says.

 

Lee says detecting an attack using the Industroyer/CrashOverrride framework would not be too difficult to do. Because the four modules using the communication protocols operate in a very distinct pattern, administrators could configure their security tools to watch for this.

 

Link again:  < Here >

 

 

[humble3d]

CONFIRMED REDUX...

 

‘Crash Override’ malware heightens fears for US electric grid

The identification of malware tied to a cyberattack on Ukraine last year is putting a renewed focus on threats to America’s electric grid.

Security firms ESET and Dragos revealed the malware, dubbed “Crash Override” or “Industroyer,” this week.

According to the researchers, the malware is only the second to be tailored to industrial control systems and developed and deployed to be disruptive — the first was the Stuxnet virus that ravaged Iran’s nuclear program years ago.

The attack, which knocked out power in Kiev for about an hour, was one of two targeting Ukraine’s electric grid in recent years. Russia, which annexed Ukraine’s Crimean peninsula, is widely believed to have a connection to both attacks.

Experts say the cyber weapon could be deployed against electric infrastructure in Europe and much of Asia and the Middle East and, with slight modifications, could be used against the United States as well.

“This threat should absolutely make grid operators and the security community take these types of threats more seriously,” Robert M. Lee, CEO and founder of Dragos, told The Hill.

“This is definitely an evolution of tradecraft we haven’t seen before.”

The discovery of Crash Override triggered an immediate response from the government and industry.

The computer emergency readiness team at the Department of Homeland Security  (DHS) warned that, while there is no evidence the malware has affected U.S. critical infrastructure, it “could be modified to target U.S. critical information networks and systems.”

The National Cybersecurity and Communications Center, the DHS said, is working to assess the risk the malware poses to U.S. critical infrastructure.

On Tuesday, the North American Electric Reliability Corporation (NERC), a regulatory body of the electric industry, issued a public alert to its members to limit access to their networks to protect against the threat.

Lee said that his firm notified the government and key players in the electric sector on June 10, immediately after confirming the analysis of the malware and before publicly releasing details about it on Monday.

“Everybody actually took the threat seriously,” Lee said. “I was really impressed with the response by government and the sector.”

Lawmakers, meanwhile, have been raising questions about the vulnerability of the U.S. electric grid since the threat came to light.

“I worry about cyberattacks on our power grid,” Rep. Pete Olson (R-Texas), a member of the House Energy and Commerce Committee, said at a hearing Tuesday.

“I think that’s an ongoing challenge,” Amit Yoran, chairman and CEO of Tenable Network Security, told the House panel.

“From a security perspective, there’s a great challenge in that industry in that the systems are incapable of being updated or there’s tremendous risk in updating those systems, which unlike our mobile phones or desktop PCs, have a lifespan measured in decades.”

“Here in the U.S., I think we are probably more advanced on our security of those power grids,” Bill Wright, government affairs and senior policy counsel at Symantec, told the lawmakers.

“That said, there’s always going to be susceptibility.”

If deployed in the U.S., the malware would need to target multiple elements of the electric grid — which is comprised of numerous smaller units — to cause widespread outages.

Lee said that any outage would last only hours or days at most, given that elements of the U.S. electric grid have been engineered to switch over to manual operation in the event of storms or natural disasters.

Still, the twin attacks on Ukraine’s power have heightened long-standing concerns in Washington about threats to the electric grid.

Earlier this year, Sen. Angus King (I-Maine) introduced legislation with bipartisan support that would set up a pilot program to find security vulnerabilities in the energy sector.

The fears on Capitol Hill have been compounded by Russia’s willingness to use cyberattacks to achieve strategic gains, in the wake of what U.S. intelligence has described as Moscow’s interference campaign during the presidential election.

Dragos has named the group behind the malware “Electrum” and has linked that group to the Sandworm team — the same group security experts say was behind a 2015 cyberattack on Ukraine’s electric grid. While some experts — including Dragos — have not attributed the group to a particular country, security firm FireEye has connected it to the Russian government.

On Tuesday, Sen. John McCain (R-Ariz.) raised the issue during questioning of Attorney General Jeff Sessions in the context of threats posed by Russia to Ukraine and the United States.

“It is very disturbing that the Russians continue to push hostile actions in their foreign policy,” Sessions said.

“We do not have a sufficient strategy dealing with technological and IT penetrations of our system,” he said.

“I truly believe it’s more important than I ever did before.”

 

http://thehill.com/policy/cybersecurity/337877-crash-override-malware-heightens-fears-for-us-electric-grid