Cybersecurity companies ESET and Dragos released research Monday on the first known malware purpose built for power grid cyberattacks like those the Ukraine suffered in December 2016 and December 2015. The malware’s potential to be adapted to attack a broad range of critical infrastructure has attracted attention from cyber and national security professionals across governments, militaries and industries globally.
The antivirus company ESET, which has previously published findings on the 2015 and 2016 Ukraine incidents, discovered the malware. Dragos, which specializes in industrial control system (ICS) cybersecurity, reviewed ESET’s work and independently verified most of ESET’s findings.
In separate reports, the companies noted that the malware – dubbed “Win32/Industroyer” by ESET and “CrashOverride” by Dragos – is distinct from BlackEnergy 3 and KillDisk malware, which threat actors employed in the 2015 and 2016 Ukraine grid cyberattacks.
However, BlackEnergy 3 and KillDisk do not contain the functionality to compromise ICS directly and, as a result, cause power outages. (BlackEnergy 2 does, but no evidence published to date shows the threat actor[s] used BlackEnergy 2 in the 2015 or 2016 Ukraine incidents.) A 2016 E-ISAC and SANS report concluded that the threat actor behind the 2015 incident had “direct interaction” with ICS and related software, which enabled the power outages.
While neither BlackEnergy 3 nor KillDisk could provide access to ICS, and therefore could not be used to cause power outages, the threat actor used either one or both in every other stage of the 2015 incident. For instance, the threat actor employed BlackEnergy 3 to map three Ukrainian utilities’ networks and to harvest credentials for operators’ human machine interfaces (HMIs). HMIs provide direct access to the ICS that monitor and control circuit breakers. In other words, the compromised HMIs served as the attack vectors that enabled the “direct interaction” required to cause the 2015 power outage.
In initial findings on the 2016 incident, presented in January at the S4x17 industry conference, security researchers Marina Krotofil of Honeywell and Oleksii Yasynskyi of ISSP Group said the threat actors behind the 2016 cyberattack employed many of the same tools as those used in 2015, including BlackEnergy 3.
However, the precise tactics, techniques and procedures (TTPs) that threat actors used to access the ICS in the 2016 incident have remained a mystery. ESET’s and Dragos’s new research potentially provides additional clues. However, the ESET and Dragos reports differed on the conclusiveness of the new evidence suggesting the use of Industroyer/CrashOverride in the 2016 cyberattack.
(The remainder of this analysis will refer to the Industroyer/CrashOverride malware simply as Industroyer, unless referring to findings reported specifically by Dragos.)
“We have seen indications that this malware could have been the tool used by attackers to cause the power outage in Ukraine in December 2016,” ESET researchers wrote, “although at the time of writing, it is not confirmed, and the investigation is still ongoing.”
Dragos, however, was more definitive in its report, writing, “Dragos assesses with high confidence that the same malware was used in the cyberattack to de-energize a transmission substation on December 17, 2016, resulting in outages for an unspecified number of customers.”
In January, Fifth Domain published an in-depth analysis of the 2015 and 2016 incidents, based on facts available at that time and using the traditional ICS Kill Chain as a likely model for the cyberattack. ESET’s and Dragos’s new reports detail malware that would have enabled the precise type of multi-stage, multi-step hack recounted in January’s Fifth Domain report, although that report remains a theoretical recounting based on incomplete facts about the incident.
This week’s research uncovered additional seeming correlations between the newly discovered malware and known details about the 2016 incident. The most remarkable new clue, found by ESET, tying Industroyer to the 2016 incident is a malware timestamp that coincides with the exact date of the 2016 cyberattack.
However, the research published this week also raises additional questions about the 2016 cyberattack, the threat actor(s) and emerging trends in cyber threats to power grids and critical infrastructure. Here are some of those trends, clues and questions, along with analysis.
1. Industroyer’s design makes it adaptable to a broad range of critical infrastructure environments and targets
While Industroyer was designed specifically to target switches and circuit breakers in electrical substations, the malware’s functionality is extensible, modular and highly customizable, researchers noted.
ESET and Dragos agree that Industroyer, while sharing similar functionality with BlackEnergy 3, contains code that is distinct from it. Likewise, the wiper code in Industroyer is distinct from that of KillDisk, although the functionality is similar.
In the samples obtained and analyzed by researchers, Industroyer uses one of four components to gain control of physical switches and circuit breakers in a power grid. Researchers call these four components and the corresponding exploits the 101 Payload, 104 Payload, 61850 Payload and OPC DA Payload.
The payloads are named after four common ICS protocols: IEC 60870-5-101, IEC 60870-5-104, IEC 61850 and OLE for Process Control Data Access (OPC DA). Industroyer uses one of these protocols – via payload component, respectively – during a cyberattack targeting remote terminal units (RTUs).
The Fifth Domain report published in January explained the role of RTUs in both Ukraine incidents. In summary, RTUs are electronic devices that link sensors and actuators on physical objects to ICS and supervisory control and data acquisition (SCADA) systems. ICS/SCADA systems allow engineers in centralized locations to monitor and control distributed assets. RTUs, which are similar to programmable logic controllers (PLCs), are key components of ICS/SCADA systems. Stuxnet targeted PLCs.
Dale Peterson, founder and CEO of Digital Bond, an ICS cybersecurity consulting firm, explained to Fifth Domain in January:
A RTU passes commands from an operator in a control room to numerous actuators that perform control functions and sensors that monitor system status at a physical site, such as a substation. Many RTUs today can run programs or logic, so the difference between a RTU and PLC can be minimal. Until recently, just the past year, these devices were “insecure by design.” We used to say, “access equals control.” If you had access [to the RTU], you didn’t have to hack it by exploiting a vulnerability. You could do anything you wanted using documented features and functions.
In other words, by gaining access to RTUs, threat actors can control the operation of switches, circuit breakers and other physical components of a power grid. HMIs and ICS protocols serve as the “bridge” from IT systems to the RTUs.
As ESET researchers noted, the four ICS protocols that Industroyer targets are decades old and are now used widely in critical infrastructure systems worldwide. The protocols’ prevalent use means threat actors could adapt Industroyer to other environments, such as transportation, water and oil infrastructure. Likewise, the malware could also be modified to target physical components, other than electrical switches and circuit breakers, that are monitored and controlled using one of the four ICS protocols. Dragos noted in its report that such adaptation to different environments and targets, while possible, remains merely “hypothetical” for now.
After examining ESET’s findings, Dragos wrote Monday that the malware “appears to have not used all of its functionality and modules.” Dragos also wrote that obtained Industroyer (CrashOverride) samples do not include payloads for Distributed Network Protocol 3 (DNP3), which is the more common ICS protocol used in North American power systems. But a DNP3-targeted payload could be added in subsequent versions or new variants, Dragos noted.
Industroyer’s extensibility, modularity and customizability suggest it was developed by a highly skilled threat actor, who most likely enjoys substantial resources. Threat actors with the time, skill and resources to adapt malware to specific targets are especially concerning.
“Thanks to its ability to persist in the system and provide valuable information for tuning-up the highly configurable payloads, attackers could adapt the malware to any environment, which makes it extremely dangerous,” ESET wrote.
2. Industroyer does not exploit a zero-day vulnerability
Unlike many other high-profile cyberattacks – such as the first ICS malware Stuxnet and the ransomware WannaCry – Industroyer doesn’t exploit a zero-day vulnerability. By comparison, Stuxnet exploited four zero-day vulnerabilities.
Dragos noted that, while Industroyer’s wiper function seeks to delete files associated with the company ABB’s ICS products, the malware does not exploit any vulnerability in ABB’s technology.
ESET reports that Industroyer’s denial-of-service exploit targets a known vulnerability (CVE-2015-5374) in Siemens SIPROTECT devices, but Dragos could not independently confirm this finding.
The researchers also did not report that Industroyer exploits any zero-day vulnerability in traditional IT systems or applications. The malware merely uses existing technological functionality for malicious purposes. For instance, Industroyer’s major component, which ESET calls the Main Backdoor and which includes versions with more and fewer privileges, hides in Microsoft Windows services. The Launcher and its four component payloads operate as Windows Dynamic Link Libraries (DLL).
The technique of using legitimate technological functionality – such as standard ICS protocols, Windows services and DLLs – to carry out cyberattacks makes malware trickier to detect and prevent, since it operates under the guise of software and systems that are “trusted” by many enterprise security solutions. Security solutions that use newer detection techniques, such as behavioral analysis, might fare better. Most helpful in detecting and preventing this type of malware is updated, actionable information on the threat and its use cases.
That the malware does not exploit a zero-day vulnerability can be viewed as a positive, on the one hand. On the other, it means there’s no easy safeguard because no security patch is available to provide blanket prevention of future attacks that employ this malware and similar exploits.
Dragos, ESET and US-CERT have all published indicators of compromise and recommended security practices to harden networks and systems against Industroyer and similar threats.
3. Industroyer illustrates the threat actor’s knowledge in two distinct technological domains
While ICS is the attack vector for compromising RTUs – and, by extension, physical switches and circuit breakers – Industroyer also compromises traditional IT.
Developers designed the malware to accommodate multi-stage, multi-step hacks. Threat actors use a custom module to facilitate each step of a hack. For instance, the malware establishes initial and persistent access via a local proxy (installed by the hackers) and two backdoors – the Main Backdoor targeting standard IT systems (Microsoft Windows services) and the other a “trojanized” version of a standard application (Microsoft Notepad).
The malware then establishes contact with the threat actor’s command and control (C&C) server via an encrypted channel (HTTPS). Most of Industroyer’s C&C servers are running Tor software, ESET noted.
The threat actors employ another module to map the victim organization’s IT and ICS environments. The mapping module is unique to Industroyer, not borrowed or repurposed, ESET noted. By contrast, threat actors used BlackEnergy 3 to map local environments in 2015.
Once target ICS systems are discovered, Industroyer begins using the Loader module and its four component payloads to establish control of RTUs via ICS protocols and issue commands to physical components.
Such a cyberattack illustrates this threat actor’s rare cross-domain knowledge. Traditionally, IT and ICS have been distinct areas of expertise (computer science and electrical/mechanical engineering, respectively). However, with the increasing modernization and digitization of critical infrastructure over the past two decades, the two technological domains now interface and are as integrated as ever. Still, ICS technology has remained relatively obscure to traditional IT experts, such as hackers. Industroyer’s author’s demonstrated expertise in both IT and ICS technologies is remarkable.
Indeed, “Industroyer’s payloads show the authors’ deep knowledge and understanding of industrial control systems,” ESET researchers wrote.
Dragos, a company specializing in interdisciplinary IT-ICS security, observed, “As with most ICS-specific incidents, the most interesting components of the attack are in how the adversary has demonstrated they understand the physical industrial process.”
4. Industroyer possesses a destructive capability
Some previous versions of malware used to target power grids, such as Havex, were designed primarily for cyber espionage. Industroyer possesses reconnaissance functionality, such as the network mapping module, but the samples analyzed by researchers appear to have no dedicated espionage capability. However, Industroyer does contain a destructive wiper.
ESET notes, “its wiper module is designed to erase system-crucial Registry keys and overwrite files to make the system unbootable and the recovery harder.”
By contrast, the threat actor behind the 2015 Ukraine incident also used a wiper program called KillDisk. KillDisk played no role in causing the power outage, but it did prolong the outage by destroying files of programs that could have helped to restore power more quickly. Industroyer’s wiper appears to have been designed to provide the same data-deleting functionality.
The Industroyer author’s inclusion of wiper functionality is notable for a few reasons. First, it speaks to one of the threat actor’s potential motives, which extends beyond quiet, passive espionage and at least gives the option of using a destructive capability.
Second, the destructive component fits the traditional cyber strategy and operational profile of some threat actors, but not others. For instance, based on findings from prior cyberattacks, North Korea and Iran have destroyed data during cyberattacks more often than either Russia or China. However, Russia, China and many sophisticated cyber proxies could easily develop destructive capabilities. It’s also possible that the threat actor adopted destructive capabilities, at least in part, to obscure exactly this type of threat profiling. Therefore, the destructive capability alone does not implicate or vindicate any threat actor, but it’s worth observing and perhaps remembering as a trend.
5. The latest findings provide new correlations between malware functionality and known details of the 2016 cyberattack, but it also raises new questions
ESET found a few strong points to support the idea that Industroyer was, or could have been, used in the 2016 cyberattack. The strongest is the malware timestamp that coincides with the exact date of the 2016 incident. ESET also pointed to other indicators, such as the hard coding of the local proxy address in the Main Backdoor, which suggests Industroyer was intended to be used on one target (at least initially).
Notably, ESET’s and Dragos’s reports expressed differing levels of confidence in whether Industroyer was used in the 2016 cyberattack. The difference can perhaps be explained by varying levels of knowledge about the incident, arising from different degrees of access to the victim and its environment (e.g., on-site incident response), as well as available types of forensic evidence to analyze.
ESET noted multiple times that, while some existing evidence suggests that Industroyer could have been used in the 2016 cyberattack, the proof its researchers currently possess is inconclusive.
“Whether the same malware was really involved in what cybersecurity experts consider to have been a large-scale test is yet to be confirmed,” ESET researchers wrote in a blog post summarizing their findings. The reference to “test” is how some have characterized the 2016 incident.
In contrast, a Dragos blog post and its published report on CrashOverride expressed the findings in a more certain tone. In its report, Dragos wrote, “The team was able to use this notification [from ESET] to find samples of the malware, identify new functionality and impact scenarios, and confirm that this was the malware employed in the December 17th, 2016 cyberattack on the Kiev, Ukraine transmission substation which resulted in electric grid operations impact.”
Also notable, Krotofil has said that BlackEnergy 3 and KillDisk were used in the 2016 and 2015 incidents. Why would the threat actor use two different pieces of malware (BlackEnergy 3/KillDisk and Industroyer/CrashOverride), which provide much of the same functionality, in the same cyberattack?
Threat actors need Industroyer to reach the ICS, as already discussed, but then why use BlackEnergy 3/KillDisk at all, given that all of their functionality (C&C, reconnaissance, wiper, etc.) needed to pull off the hack is provided by Industroyer?
6. With the newest findings, the attribution plot has thickened
Based on the circumstantial evidence at hand, many observers suspect Russia played a role in one or both Ukraine grid cyberattacks, based on its known cyber capabilities and obvious motive, given ongoing geopolitical tensions with Ukraine.
The December 2016 incident occurred amid a flurry of 6,500 cyberattacks over two months, Ukraine’s President Petro Poroshenko told media. Poroshenko said the attacks indicated Russian “cyberwar.”
Russia also has a history of carrying out cyberattacks against its neighbors – most notably Estonia in 2007 and the country of Georgia in 2008. Yet, recall that Russia has historically been less inclined than other nation-states to incorporate data deletion into cyberattacks. To date, no publicly available threat intelligence or forensic evidence ties Russia directly to either Ukraine incident.
In addition to a potential nation-state threat actor, cyber proxies must be considered. A mysterious group named Sandworm is known to have adopted an earlier version of BlackEnergy to improve and expand the malware’s capabilities, according to earlier research by ESET and others. The nature of Sandworm’s affiliation with the Russian government, if one exists, is unknown.
It’s currently unclear if – and, if so, how – Sandworm had any hand the 2015 and/or 2016 incidents. The fact that Sandworm developed recent versions of BlackEnergy does not alone implicate the group in any cyberattack. For instance, Iranian threat actors were recently observed using BlackEnergy to attack U.S. defense contractors.
Further complicating attribution, Dragos first reported Monday on its efforts to track a new threat actor somehow affiliated with Sandworm.
“Dragos can also confirm that we are tracking the adversary group behind the attack as ELECTRUM and can assess with high confidence the group has direct ties to the Sandworm Team which targeted infrastructure companies in the United States and Europe in 2014 and Ukraine electric utilities in 2015,” researchers wrote.
Yet, ESET and Dragos have stopped short of making any public statements on attribution for Industroyer, as well as the 2015 or 2016 incidents. Caution is unsurprising, given the devil in the details of attribution is usually not trivial, especially for sophisticated threat actors.
Regardless of who’s behind the newly discovered malware, grid operators globally are checking their networks and bracing for new cyberattacks, whether they involve Industroyer or the next variation on the ICS malware theme.
And while Dragos’s report highlighted the current security and resiliency of the U.S. power grid, the increasing sophistication of threat actors and the malware they’re designing to target critical infrastructure should not be downplayed or disregarded. Indeed, ESET researchers called this a “wake-up call” for grid operators globally.