Last year, Ukrainians were subject to a crippling power outage thanks to some malware that had infected the systems of power company Ukrenergo. If you’ve been reading Richardcyoung.com for very long, you’ve been warned about the vulnerabilities of Supervisory Control and Data Acquisition (SCADA) systems. Between the possibilities of an EMP attack, or cyber attacks, unsecured SCADA systems put the whole grid at risk. Reuters reported back in January that initial signs pointed to a cyber attack on Ukrenergo’s SCADA systems.
Preliminary findings indicate that workstations and Supervisory Control and Data Acquisition (SCADA) systems, linked to the 330 kilowatt sub-station “North”, were influenced by external sources outside normal parameters, Ukrenergo said in comments emailed to Reuters.
“The analysis of the impact of symptoms on the initial data of these systems indicates a premeditated and multi-level invasion,” Ukrenergo said.
Now a security firm named Dragos has named and classified the malware used to cause the outage. ArsTechnica reports:
“Crash Override,” as security firm Dragos has named the tool platform, is the first known malware framework designed to attack electric grid systems. Dragos researchers said it was used successfully in what may have been a dress rehearsal on a December 17 hack on an electric transmission substation in Kiev. While the Kiev outage lasted only a few hours, several features of the malware that weren’t turned on in the December hack have the potential to cause disruptions that persist for as long as a week. Crash Override is a completely new platform that was far more advanced than the general-purpose tools the same group used to attack Ukraine’s power grid in December 2015.
What makes Crash Override so sophisticated is its ability to use the same arcane technical protocols that individual electric grid systems rely on to communicate with one another. As such, the malware is more notable for its mastery of the industrial processes used by global grid operators than its robust code. Its fluency in the low-level grid languages allowed it to instruct Ukrainian devices to de-energize and re-energize substation lines, a capability not seen in the attack a year earlier that used a much cruder set of tools and techniques. The concern is that “Industroyer”—the other name given to the malware—can be used against a broad range of electric systems around the world.
The most threatening thing researchers have learned about Crashoverride is its adaptability to American energy systems. The Wall Street Journal reports:
Computer-security researchers said Sunday they have discovered the malicious software that knocked out electricity in Ukraine’s capital last year, and warned U.S. companies that the code could be repurposed to disrupt systems in the U.S.
The discovery sheds light on an incident that security experts have been watching closely, hoping to understand the risk to the U.S. electrical grid. It follows a 2014 cyber-campaign against the U.S. in which networks at 17 energy companies, including four electric utilities, were compromised.
The malicious software, called Crashoverride, has been analyzed over the past week by Dragos Inc., a Washington, D.C., firm specializing in securing the industrial-control systems in manufacturing plants or power facilities. Robert M. Lee, Dragos’s chief executive, said the software was discovered earlier this year by ESET, a Slovakia-based antivirus vendor.
Read more here.