When we started analyzing the malware behind the Ukrainian blackout, we were surprised by the bad guys’ deep knowledge of industrial control systems, as well as the malware’s overall impact potential.
The blackout that hit the Ukraine capital, Kiev, in December 2016 looked no different from other security incidents in that country. Even after it became clear that the outage was the result of a cyberattack, it was not a huge surprise as a similar blackout occurred one year earlier, and the whole of Ukraine had been under cyber-fire for past couple of years. But we soon realized that the malware used in this particular attack had much more far-reaching capabilities. In fact, its modus operandi was truly novel. Since Stuxnet, the worm used to damage Iranian uranium-enrichment centrifuges back in 2010, the world had not seen malware directly communicating with industrial control systems.
We named it Industroyer, with respect to its destructive power.
Industroyer is modular malware; given its flexibility, we may even call it a malware framework. Our analysis shows that its core component is a backdoor that installs and controls the other components and connects to a remote server to receive commands and to report to the attackers.
What sets Industroyer apart from other malware targeting infrastructure is its use of four payload components, each targeting a particular industrial communication protocol (defined in the IEC-101, IEC-104 and IEC-61850 standards, and in OPC Data Access). These components are designed to gain direct control of switches and circuit breakers at an electricity distribution substation.
Generally, the purpose of the payloads is to map the network, and then poll and issue commands that will work with specific industrial control devices.
Furthermore, Industroyer is capable of rendering protection relays irresponsive and then wiping SCADA software configurations from operators’ workstations, effectively hindering their ability to recover from the attack.
As a highly configurable malware platform, Industroyer can be easily refitted to attack other energy infrastructures and even other industries, such as transportation or manufacturing.
For example, with simple modifications, such as adding a DNP3 communication protocol module, it could be deployed against U.S. electric transmission and distribution systems. Attacking industrial control systems in other industries would require repurposing of the malware, and it would require attackers to get acquainted with operations at the targeted site — an ability they clearly demonstrated in Ukraine.
Industroyer poses a big threat to industrial systems because it doesn’t exploit any vulnerabilities. If that was the case, it’d be easy to patch those vulnerabilities and make the system safe again. Unfortunately, industrial systems and the communication protocols that they are using — that Industroyer is targeting — were developed decades ago, without security in mind. They are insecure by design, so Industroyer (and similar malware that may be discovered in the future) can easily speak to equipment and thus influence the physical processes governed by the equipment.
Given the deep technical knowledge of attackers and the sophistication of Industroyer, the scope of the blackout caused — it lasted around one hour — was surprisingly small. Among possible explanations for the seemingly unfulfilled attack potential, the one most commonly cited is that the December attack in Ukraine was a large-scale test.
Even before ESET’s analysis of Industroyer was published, industrial controls security practitioners around the world were considering security a serious issue, according to the recent research “Securing Industrial Control Systems–2017″ by the SANS Institute. The research shows that 69 percent of respondents consider the threat to their ICS systems to be high or severe/critical. Arguably, should the respondents have been aware of Industroyer and its capabilities, there would’ve been even more people expressing fears about possible malware attacks.
Whether or not the Industroyer attack was only a test, its emergence should serve as a wakeup call for all those responsible for security of critical infrastructures worldwide.
About the author: Robert Lipovsky is senior malware researcher in ESET’s Security Research Laboratory, with 10 years of malware research experience. He is responsible for malware intelligence and analysis and leads the malware research team in ESET’s headquarter in Bratislava.