Today the Dragos, Inc. team is releasing a report titled CRASHOVERRIDE: Analyzing the Malware that Attacks
Power Grids. CRASHOVERRIDE is a malware framework that has not been disclosed before today but is the
capability used in the cyber-attack on the Ukraine electric grid in 2016 (not the 2015 attack). Dragos
can also confirm that we are tracking the adversary group behind the attack as ELECTRUM and can assess
with high confidence the group has direct ties to the Sandworm Team which targeted infrastructure companies
in the United States and Europe in 2014 and Ukraine electric utilities in 2015. The report we are releasing
today serves as an industry report to accompany the intelligence report our customers have received on
the threat. The intelligence report goes into more technical exploration and ties together sensitive
details, but the industry report contains everything that defenders need to analyze the threat, defend
their systems, and understand the potential impact. The report will also educate on grid operations and
try to illuminate the threat scenarios while reducing any hype and confusion on the impact.
The report may be found
directly without any requirement for submitting an email or any personal information.
The purpose of this blog is to introduce some high-level items for everyone to be aware of (especially those
that do not have time to read the full report).
- The electric grid is extremely reliable. CRASHOVERRIDE represents alarming tradecraft and the ability
to disrupt operations, but the public must understand that the outages could be in hours or days
not in weeks or months. The electric grid operators train regularly to restore power for similar
sized events such as weather storms. The first thank you that needs publicly stated is to those men
and women responsible for having put the electric grid into a defensible situation through their
dedication to reliability and safety of electric power.
- The Slovakian anti-virus firm ESET informed Dragos on June 8th, 2017 that they would be releasing their
report on June 12th on a piece of malware they identify as "Industroyer." The request was to validate
findings to reporters they were speaking to because Dragos has subject matter experts focused on
ICS security. Dragos would like to recognize the good work by ESET and thank them for providing us
with digital hashes of some samples of the malware which initiated our discovery of this new capability.
- Dragos was able to confirm much of ESET's analysis and leveraged the digital hashes to find other undisclosed
samples and connections to a group we are tracking internally as ELECTRUM. Because of the new functionality,
connections to the threat group, numerous references to crash.dll in the malware, and our analysis
that this is not industry-wide focused but specific to electric grid operations led the team named
this malware CRASHOVERRIDE.
- The CRASHOVERRIDE malware is a framework that has modules specific to ICS protocol stacks including IEC
101, IEC 104, IEC 61850, and OPC. It is designed to allow the inclusion of additional payloads such
as DNP3 but at this time no such payloads have been confirmed. The malware also contains additional
non-ICS specific modules such as a wiper to delete files and processes off of the running system
for a destructive attack to operations technology gear (not physical destruction of grid equipment).
- The modules in CRASHOVERRIDE are leveraged to open circuit breakers on RTUs and force them into an infinite
loop keeping the circuit breakers open even if grid operators attempt to shut them. This is what
causes the impact of de-energizing the substations. Grid operators could go back to manual operations
to alleviate this issue.
- The CRASHOVERRIDE malware appears to have not used all of its functionality and modules, and it appears
the Kiev transmission substation targeted in 2016 may have been more of a proof of concept attack
than a full demonstration of the capability in CRASHOVERRIDE.
- CRASHOVERRIDE's wiper searches for specific ABB files to delete off of a system, however, there are no
vulnerabilities in ABB that this malware takes advantage of; it is important to understand that the
malware is sophisticated in its tradecraft because it takes advantage of the knowledge of grid operations
and is vendor independent. In our assessment, the vendor names associated with the Kiev site are
insignificant details and vendors and configurations of the environment were not at fault.
- ESET's report cites a Siemens SIPROTEC denial of service based on a publicly disclosed 2015 vulnerability.
However, we cannot confirm the existence of this module.
- There are concerning scenarios in how this malware can be leveraged to disrupt grid operations that would
result in hours of outages at targeted locations leading into a few days if done at multiple sites.
However, it is important to know this is not a catastrophic scenario; there is no evidence the ELECTRUM
actors could use CRASHOVERRIDE to do more than a few days of outages, and even to get a few days,
would require the targeting of multiple sites simultaneously which is entirely possible but not trivial.
CRASHOVERRIDE is an extremely concerning capability but should not be taken with any "doom and gloom"
type scenarios. Everything past single substation events and small islanding events of targeting
a few multiple locations is purely speculation and not worth discussion at this time.
Indicators of compromise for the CRASHOVERRIDE malware can be found in the industry report. Indicators of
compromise are available, but the most important thing for security teams to watch for is malicious behaviors
and set patterns associated with the ICS communications. Dragos Platform customers detect CRASHOVERRIDE
and other similar tradecraft within an ICS network through a dozen new behavioral analytics and associated
intelligence context. Follow on intelligence reports will keep customers up-to-date with the threat actor
and capability as the situation evolves. The Dragos, Inc. team and ESET will also break down what is
known to the public for the first time together at
our joint talk at the BlackHat conference.
Back to Blog