Petya Petrova - Fotolia

CrashOverride ICS attack targets vulnerable electrical grid

Researchers discovered new details of a Kiev ICS attack from December using CrashOverride malware that could be used to disrupt an insecure electrical grid.

Security researchers have uncovered the CrashOverride malware framework used to take down part of the electrical grid in Kiev, Ukraine, last year, and experts warned the framework could be used against insecure utilities around the world.

On June 8, antivirus firm ESET, an IT security company headquartered in Bratislava, Slovakia, contacted industrial security firm Dragos Inc. regarding an industrial control system (ICS) attack. Dragos researchers found the malware framework, which they call CrashOverride, was used in December 2016 in an ICS attack on the Kiev electrical grid.

According to Dragos, an industrial cybersecurity startup in Fulton, Md., the CrashOverride malware is "a modular framework consisting of an initial backdoor, a loader module, and several supporting and payload modules." In a practical ICS attack, the malicious actor would first need to establish an internal proxy in order to install the backdoor. At this point, CrashOverride would download a data-wiper module, which "clears registry keys, erase[s] files and kill processes running on the system.

"The functionality in the CrashOverride framework serves no espionage purpose and the only real feature of the malware is for attacks which would lead to electric outages," Dragos wrote in its report. "There are concerning scenarios in how this malware can be leveraged to disrupt grid operations that would result in hours of outages at targeted locations leading into a few days if done at multiple sites. However, it is important to know this is not a catastrophic scenario; there is no evidence the Electrum actors could use CrashOverride to do more than a few days of outages, and even to get a few days, [it] would require the targeting of multiple sites simultaneously, which is entirely possible, but not trivial. CrashOverride is an extremely concerning capability, but should not be taken with any doom and gloom type scenarios."

Robert Lee, founder and CEO of Dragos, said ESET had already planned to go public with the CrashOverride information on June 12, so Dragos had to move quickly on its analysis.

"If it was our decision, we would have not published on the timeline we did. But given that we did not control the timeline, we worked our hardest over the 96 hours we had to hunt down samples of the malware, analyze it, find additional samples, and get details ASAP to industry partners and key members of the community, as well as the appropriate government agencies," Lee told SearchSecurity. "We do not disclose who all we notify in events like this, but we made entities such as national CERTs around the world aware in that 96-hour time window, as well, once we were confident in our analysis."

Protocol issues in ICS security

Another option for an ICS attack using CrashOverride would be to use an IEC 104 module "to serve in a 'master' role."

"This raw functionality creates a Swiss army knife for substation automation manipulation, yet also provides tailored functionality," Dragos wrote. "The functions exposed to the malware operator are confined by the options of the configuration file."

Andrea Carcano, co-founder and chief product officer for Nozomi Networks Inc., an ICS security company based in San Francisco, said, "The protocol communication used by CrashOverride is not a flaw, per se."

"The threat actor merely used legitimate commands to send incorrect directions to the substation control units," Carcano told SearchSecurity. "Once CrashOverride was able to penetrate the plant network, the communications it sent on the network were all using industrial protocols as they are intended to be used."

Katie Moussouris, CEO of Luta Security, said on Twitter that the CrashOverride ICS attack method "shows how difficult it is to fix protocol-level security issues, especially in ICS."

"It is a canonical example of multiparty vulnerability coordination, where the [vulnerabilities] are in a protocol implemented by many who must all fix [it]," Moussouris told SearchSecurity. "There's nothing typical about the timeline, but it can take years, especially if a protocol revision requires new hardware design. Mitigation is case-specific, from disabling functionality that uses the protocol -- usually not an option -- to segmentation to other filtering."

Richard Henderson, global security strategist at Absolute Software, an endpoint security company based in Vancouver, B.C., said an ICS attack using the IEC 104 module would be "pretty scary stuff if it was used to mess with remote terminal units [RTUs]."

"Cascade failures are a very real risk in our modern, connected power system -- we only need to go back to the Northeast blackout of 2003 to see how quickly an issue can spread and cause massive outages. In some cases, it took days before power was restored," Henderson told SearchSecurity. "A targeted attack on RTUs, which can physically toggle station [and] substation breakers on or off, could place other sections of the grid under massive stress ... it wouldn't be too much of a stretch to imagine some of those other systems on the grid falling over. This is one of the biggest threats facing ICS and SCADA today: There is a very real-world threat when we marry cyber to the kinetic." 

Risks of ICS attack

Experts varied in opinions regarding the possibility of an ICS attack on utilities in the U.S., but said security can be lacking.

"In general, they are vulnerable because they were not designed with security in mind. Yet, they are exposed to danger more than ever due to increasing connections with business networks and the internet -- sometimes inadvertent connections. Thus, once an attacker gets onto a plant network, they have a lot of ways of achieving their goals," Carcano said. "Operators should use this discovery as a reminder to harden down access to ICS networks, review network segmentation and implement real-time ICS anomaly detection solutions that would quickly alert them to unusual network communications."

John Chirhart, federal technical director at Tenable Network Security, publisher of the Nessus vulnerability scanner based in Columbia, Md., said ICS attacks are becoming more likely because of how systems are becoming integrated into networks.

"Legacy systems were originally designed to be walled off and isolated from external threats. But with the explosion of interconnected networks, these systems have found themselves operating in blended environments," Chirhart told SearchSecurity. "The reason ICS are so insecure is that they are typically treated as a separate attack surface, when, in fact, it's part of the new world of IT and must be constantly monitored, secured and folded into an organization's comprehensive modern security strategy."

Bryan Singer, director of industrial cybersecurity services and sales for IOActive Inc., a cybersecurity company headquartered in Seattle, said the danger of an ICS attack is somewhat limited, because "utilities are already well-equipped to respond to large disruptions of substation automation systems -- they do it all the time for geological and meteorological events." He continued:

The larger question would be whether utilities are ready to handle a persistent malware threat, which may require them to run their system with far more manual intercession than utilities today are used to doing. One thing that made some of the original attacks on the Ukrainian power grid have such minimal real impact is that they had only recently moved to digital systems, so there were knowledgeable operators ready and able to run in manual mode to keep the power on. In many other areas of the world, including the United States, we are capable of the same manual operation, but it may take more resources than we have on hand at any given point if the outage is significant.

David Zahn, general manager of ICS cybersecurity at PAS, an ICS security company headquartered in Houston, said utilities should be wary of assuming natural and human-powered ICS attacks are equivalent.

"There seems an undercurrent of surprise or reactionary concern when we hear details on how bad actors are advancing sophisticated means to attack critical infrastructure," Zahn told SearchSecurity. "In power, we are in denial that a similar attack could happen in the U.S. We also get mired in misconceptions that we are well-prepared because of regulation, or squirrels -- yes, squirrels -- are more likely to bring down power than a hacker. The problem is that nation states have a plan; squirrels do not."

Henderson was confident "the security people working in critical infrastructure are among our best and brightest, and I have little doubt that they're ready and watching for CrashOverride or other copycat attacks."

"ICS [and] SCADA are some of the most critical pieces of technology in the world today. Literally everything society is built on today is built upon power, water and industrial technology ... and without those things, the world as we know it would grind to a standstill," Henderson said. "Those are very scary words and toe the line on fear-mongering, but I really do think that it's that important of an issue. Does that make them more vulnerable to incident? I don't think so ... but it does make the impacts of attacks exponentially more dangerous, with the impact to reality that much larger."

Next Steps

Learn about the BlackEnergy malware ICS attack Ukraine accused Russia of using.

Find out why the public and private sectors are on the hook if the grid goes down.

Get info on the development of an ICS security framework.

Dig Deeper on Threats and vulnerabilities