S
SHOOTER13
Guest
Seven minutes before midnight last Dec. 17, a bomb of sorts went off in a high voltage substation north of Kiev.
But if you were standing outside the 20 acres of gleaming metal transformers and coils, you wouldn’t have heard a bang or seen a flash. It wasn’t that kind of bomb. It was a piece of malicious software that had been hiding in a control room computer miles away, waiting for the right time to reveal itself. At 11:53 p.m., the logic bomb transmitted a staccato burst of pre-programmed commands to the substation, popping one circuit breaker after another until a strip of houses in and around western Kiev were plunged into darkness.
Technicians responded to the Pivnichna substation and took the circuit breakers off computer control, restoring power a little after 1 a.m. It was only the second confirmed case of a computer attack triggering an electrical blackout, and compared to the first, 12 months earlier—also in Ukraine—it was a fizzle, affecting far fewer customers and for a fraction of the time. In the six months since the Kiev attack, security researchers have wondered why the hackers even bothered with such a fleeting disruption and speculated that someone was using Ukraine as a testing ground for a more serious attack.
Now that dark assessment seems to be confirmed. Researchers at two security companies on Monday announced they’ve finally found and analyzed the malware that triggered the Kiev blackout, and it’s far worse than imagined. The computer code, dubbed “CrashOverride” by San Antonio-based Dragos, and “Industroyer” by ESET in Slovakia, is a genuine cyber weapon that can map out a power station’s control network and, with minimal human guidance, issue malicious commands directly to critical equipment. Only once before has the world seen malware designed for such sabotage, with the 2010 Stuxnet virus used against Iran’s nuclear program. CrashOverride is the first to target civilians and the first such malware built to target a nation’s power supply.
It’s unclear who created CrashOverrride. Both ESET and Dragos say it was built from scratch, leaving none of the usual fingerprints that allow analysts to link one hacking campaign to another. Ukraine has faced a near-biblical plague of cyber attacks since entering into hostilities with Russia three years ago, and many have led unequivocally to Moscow. But not so with CrashOverride.
The only thing that’s certain, says security researcher Robert Lee, CEO of Dragos, is that the malware wasn’t built as a one-time weapon. It’s designed from the ground up to be easily reconfigured for a variety of targets and contains some payloads that weren’t even fired off in the Kiev attack.
“It’s a nightmare,” Lee said. “The malware in its current state would be usable for every power plant in Europe. This is a framework designed to target other places.”
ESET was first to find samples of the malware, and the company shared its initial analysis with Dragos, which went on to find additional samples and new components of the code. Electric utilities throughout the United States and Canada were alerted to the new malware last week by the North American Electric Reliability Corporation, the industry group responsible for power grid security.
“We believe that our current protective measures provide an initial barrier,” said Marcus Sachs, NERC’s chief security officer, “and we are providing additional technical information to North American utilities specific to this malware.”
But if you were standing outside the 20 acres of gleaming metal transformers and coils, you wouldn’t have heard a bang or seen a flash. It wasn’t that kind of bomb. It was a piece of malicious software that had been hiding in a control room computer miles away, waiting for the right time to reveal itself. At 11:53 p.m., the logic bomb transmitted a staccato burst of pre-programmed commands to the substation, popping one circuit breaker after another until a strip of houses in and around western Kiev were plunged into darkness.
Technicians responded to the Pivnichna substation and took the circuit breakers off computer control, restoring power a little after 1 a.m. It was only the second confirmed case of a computer attack triggering an electrical blackout, and compared to the first, 12 months earlier—also in Ukraine—it was a fizzle, affecting far fewer customers and for a fraction of the time. In the six months since the Kiev attack, security researchers have wondered why the hackers even bothered with such a fleeting disruption and speculated that someone was using Ukraine as a testing ground for a more serious attack.
Now that dark assessment seems to be confirmed. Researchers at two security companies on Monday announced they’ve finally found and analyzed the malware that triggered the Kiev blackout, and it’s far worse than imagined. The computer code, dubbed “CrashOverride” by San Antonio-based Dragos, and “Industroyer” by ESET in Slovakia, is a genuine cyber weapon that can map out a power station’s control network and, with minimal human guidance, issue malicious commands directly to critical equipment. Only once before has the world seen malware designed for such sabotage, with the 2010 Stuxnet virus used against Iran’s nuclear program. CrashOverride is the first to target civilians and the first such malware built to target a nation’s power supply.
It’s unclear who created CrashOverrride. Both ESET and Dragos say it was built from scratch, leaving none of the usual fingerprints that allow analysts to link one hacking campaign to another. Ukraine has faced a near-biblical plague of cyber attacks since entering into hostilities with Russia three years ago, and many have led unequivocally to Moscow. But not so with CrashOverride.
The only thing that’s certain, says security researcher Robert Lee, CEO of Dragos, is that the malware wasn’t built as a one-time weapon. It’s designed from the ground up to be easily reconfigured for a variety of targets and contains some payloads that weren’t even fired off in the Kiev attack.
“It’s a nightmare,” Lee said. “The malware in its current state would be usable for every power plant in Europe. This is a framework designed to target other places.”
ESET was first to find samples of the malware, and the company shared its initial analysis with Dragos, which went on to find additional samples and new components of the code. Electric utilities throughout the United States and Canada were alerted to the new malware last week by the North American Electric Reliability Corporation, the industry group responsible for power grid security.
“We believe that our current protective measures provide an initial barrier,” said Marcus Sachs, NERC’s chief security officer, “and we are providing additional technical information to North American utilities specific to this malware.”