New malware has emerged which researchers call “the biggest threat to industrial control systems since Stuxnet.”Researchers at ESET detailed the discovery of Win 32/Industroyer malware in a recent blogpost.
They write: “the malware is capable of doing significant harm to electric power systems and could also be refitted to target other types of critical infrastructure.”
Researchers point to an event in Kyiv where a power substation was compromised and electricity was cut to a part of the city for an hour in December 2016. While ESET cannot say for sure whether it was used in those attacks, the probability is high. Not only is the malware particularly suited to performing such an attack, the activation timestamp within the malware matches the date of the attack. Such tools, add ESET, “are an advanced piece of malware in the hands of a sophisticated and determined attacker.”
It can currently seize hold of electricity substation switches and circuit breakers, allowing its controllers to cut off power to its targets, damaging equipment and sparking cascading failures.
But Industroyer is modular, allowing attackers to customise the malware to their needs. ESET's analysis of it revealed four separate payloads which, when deployed, map the networks and issue commands, communicating with specific protocols used by its target: (IEC 60870-5-101, IEC 60870-5-104, IEC 61850, and OLE for Process Control Data Access)
The malware stays quiet and attempts to obfuscate the identity of its controllers. It retains a ‘backup backdoor' hidden as the Notepad application, so when its main backdoor is discovered, it can re-enter the compromised network. It also possesses a wiper module which gets rid of crucial parts of the attack system, hindering recovery from the attack.
It's truly lethal quality is its use of communication protocols which are used globally across a wide variety of sectors including power, water and transportation. Those protocols were dreamt up in an age before the threat of a cyber-attack occured to anyone and were built for systems which no one over thought would be connected to the outside world. As researchers noted, the inventors of Industroyer didn't even need to find the vulnerabilities: “all they needed was to teach the malware “to speak” those protocols.”
Being modular in design, Industroyer can be reconfigured to the wishes of its controller, and the weaknesses of its target. The samples that ESET analysed, for example, were targeted toward particular industrial control products made by ABB.
Many have attributed the December attacks on Kyiv to Russia and in turn, Industroyer is now being labelled as Russian too. The conflict between Russia and Ukraine has hummed away at a low intensity over the last few years, and after the invasion of Crimea it has largely been playing out in the cyber-realm. Keir Giles, an associate fellow of the Russia and Eurasia Programme told SC Media UK, that this may be “a demonstration of capabilities, saying ‘beware, we know how to do this.'”
There may be similarities between Industroyer and Stuxnet, as ESET has noted. Still, Kim Zetter, the researcher and journalist who literally wrote the book on Stuxnet ‘Countdown to Zero Day', told SC that Industroyer bears marked differences from Stuxnet. She told SC, “Stuxnet was an extremely sophisticated but very targeted and precise attack that could not easily be used against another target, though the basic design could certainly be redrafted for use against something else. Industroyer by contrast is more adaptable. Although it requires some reconfiguration to make it usable against another target, the work to do that is minimal.”
Cevn Vibert, a security researcher in industrial control systems is underwhelmed: “I don't think there's anything specifically exciting about it, it's just another one. There are lots of them around, there are toolkits you can download for free to do a lot of this."
While there are many others speak to industrial protocols, Vibert told SC, “The key to defending against these is to stop being infected.”