According to Wired, a power outage occurred a week before Christmas in Kiev, Ukraine. Hackers unleashed a particularly nasty malware that was able to take control of the SCADA systems that control the electrical equipment and substations. The damage was relatively weak only lasting about an hour, but compared to a similar attack on Ukraine two years ago, this December attack was drastically different.
Two cybersecurity firms, ESET and Dragos Inc., released a detailed analysis on the attack this week detailing how it works and why it remains a menace. The malware, dubbed “Crash Override” or “Industroyer” is able to nearly automate attacks on power infrastructure and includes swappable components that allow it to adapt to different utilities. The malware was able to utilize the specific protocols the subsystems use in order to control the flow of electricity. Once a machine is infected, the malware automatically maps out control network and locates critical equipment. It also sends logs back to the attackers for future attacks. Because this particular malware is automated, it allows attackers to quickly deploy to multiple sites with less manpower. In contrast, cybersecurity experts believe the attack two years ago required no less than 20 people and three separate regional energy companies in a coordinated strike. This attack also probably was facilitated by a targeted spear-phishing attack that allowed hackers to gain administrative credentials. According to Rob Lee of Dragos, “Those 20 people could target ten or fifteen sites or even more, depending on time.”
The most infamous case of malware targeting infrastructure was the Stuxnet virus that took down Iranian nuclear power plants. However, while Stuxnet was focused on disrupting Iran’s nuclear ambitions, this is only the second time that malware has targeted commercial power stations. This past January, The U.S. Department of Energy warned that the electric grid “faces imminent danger” from targeted infrastructure attacks. At the moment, Crash Override doesn’t seem to use any zero day vulnerabilities and also seems to be limited to regional blackouts instead of being able to cause damage on the scale of the 2003 blackout of the northeast United States.