Industroyer Malware Detected, Linked to Kiev Attack

Industroyer Malware Detected, Linked to Kiev Attack

Malware which has the ability to take down a city's electrical and power grid has been detected.

Named 'Industroyer', the malware was identified after an attack on Kiev in 2016 and analysis by ESET of the malware has found that it is capable of controlling electricity substation switches and circuit breakers directly. This is done using industrial communication protocols used around the world in power supply infrastructure, transportation control systems and other critical infrastructure systems (such as water and gas).

In particular, Industroyer uses protocols in a common fashion, and its core component is a backdoor that attackers use to install and control the components. The malware connects to a remote server to receive commands and to report to the attackers.

What is specifically different about Industroyer is its use of four payload components, which are designed to gain direct control of switches and circuit breakers at an electricity distribution substation. These work in stages to map a network, and issue commands to work with the specific industrial control devices.

It also uses Tor software to communicate privately with command and control servers, while an additional backdoor is designed to regain access to the targeted network in case the main backdoor is detected and/or disabled.

Anton Cherepanov, senior malware researcher at ESET, said: “While being universal, in that it can be used to attack any industrial control system using some of the targeted communication protocols, some of the components in analyzed samples were designed to target particular hardware. For example, the wiper component and one of the payload components are tailored for use against systems incorporating certain industrial power control products by ABB, and the DoS component works specifically against Siemens SIPROTECT devices used in electrical substations and other related fields of application.

“Thanks to its ability to persist in the system and provide valuable information for tuning-up the highly configurable payloads, attackers could adapt the malware to any environment, which makes it extremely dangerous. Regardless of whether or not the recent attack on the Ukrainian power grid was a test, it should serve as a wake-up call for those responsible for security of critical systems around the world.”

ESET acknowledged that while the investigation into the Ukrainian power outage is still ongoing, it was not able to confirm that the Industroyer malware was the direct cause.

Nevertheless, we believe that to be a very probable explanation, as the malware is able to directly control switches and circuit breakers at power grid substations using four ICS protocols and contains an activation timestamp for December 17 2016, the day of the power outage,” its whitepaper claimed. 

Source: Information Security Magazine