Industroyer, or Crashoverride, is the first of many cybersecurity threats that is designed solely to attack power and electrical grids. It is also one of four cybersecurity threats found thus far that targets Industrial Control Systems (ICS), similar to other well-known attacks, such as Stuxnet and BlackEnergy. On December 17, 2016, the capital of Ukraine, Kyiv, faced what is believed to be a “test” cyberattack that caused a power outage in about one fifth of the city for an hour.
It was first discovered by a Slovak internet security company, ESET, who also helped coin the term ‘Industroyer.’ Dragos, a cybersecurity firm, was the first company to dub this new malware as Crashoverride. Industroyer is defined as a “sophisticated multi-component malware designed to disrupt the working processes of industrial control systems, especially those used in electrical substation,” according to Kaspersky Labs.
Unlike regular crimeware, Industroyer was able to “speak the language of these devices,” according to ESET because of its multi-layer malware. What made Industroyer dangerous is its ability to use industrial systems in the way they were originally meant to be used and had the potential to cause “significant harm” to electric power systems, according to The State of Security The digital attack shut off critical energy systems and wreaked havoc on other critical infrastructures. Researchers say they do not see threats with these capabilities too often, which left organizations that have less experience with these types of cyberattacks worried for the future.
A backdoor approach
The initial attack was almost automatic, which was made possible by Industroyer’s capability to disrupt Ukraine’s ICS processes through a covert and specific selection of systems, according to ESET. In the first stages, attackers focused on infiltrating a substation by exploiting CVE-2015-5374, which is a vulnerability found in Siemen’s SIPROTEC Compact devices. This allowed Industroyer’s malware to essentially sneak in through a backdoor they created, thus allowing access into even more industrial systems.
The threat actors first goal began with ambushing on-site industrial hardware, specifically circuit breakers and protections put in place. The main threat was a delayed attack concealed within its coding in hex characters, which is a unique 16-digit code containing numbers from zero to nine and letters from A to F. A timer was put in place for an exact date and time to discharge the malware that would lead to a blackout. It is believed that the blackout was a testing opportunity that may foreshadow future attacks.
According to Lapovsky, the “real culprits behind the blackout” were four elements in the Industroyer’s payload. Industroyer is a modular attack, which means it attacks in different stages using various payloads and plugins that were able to be installed once the initial attack became successful. Modular threat actors do not overtly carry out an attack, but rather sneak in through that backdoor. Industroyer protected itself by making a copy of the first backdoor and even created a back-up backdoor should the others be detected and compromised. The back-up was disguised as a Windows Notepad application containing hidden malware.
An unstoppable attack
Industroyer created a precedent by having the ability to speak to multiple devices and multiple areas of a system. This is especially dangerous and made it more difficult for victims of the attack to rectify. According to ZDNet, “Industroyer is modular, and this allowed the four communications protocols to be targeted, no matter the device type, vendor or configuration files. As long as one of the above communication protocols were in use, the attack could continue.”
A denial-of-service tool was the first component implemented by attackers, which interfered with protection relays and made them unresponsive. A wiper tool then came after Microsoft Windows workstations in order to wipe any existing protection relays that would allow them to continue and intensify the attack. The multi-layer, multi-component attack proved to be more difficult to respond effectively to. ESET believes the door remains open to a future attack given the sophisticated nature of the malware.
ESET’s fears rang true when Industroyer2 made its another appearance in April of 2022. According to Mandiant, the malware has learned new tricks. This time, the cyber-physical attack honed in on operational technology (OT) that supports Ukrainian power grids. OT-targeted attacks are rarer than other types of attacks, and this is the first time a redeployed malware has targeted a new victim. A report from Mandiant also said, “Despite five years of substantial analysis into INDUSTROYER from a variety of researchers, the actor still attempted to repurpose the tool and customized it to reach new targets.”
The persistent nature of the cyberattack is troubling for researchers and organizations who may be targeted. Researchers are still learning about the new variant of Industroyer and still have many questioned to be answered; What is the motivation? Why did attackers reconfigure components, only using one original component from Industroyer, to carry out new attacks? Why are they targeting different victims for future cyberattacks?