How Industroyer could damage the world's power grids

Ukraine's 2016 blackout was likely caused by this malware, claim researchers

Security researchers at ESET have uncovered a type of malware that could have caused the 2016 blackout in the Ukrainian capital, Kiev.

In mid-December last year, a cyberattack caused damage to a substation in the northern part of the city, which caused the blackout in that area.

The attack took place exactly one year after the major blackout caused by the malware BlackEnergy that hit many regions across Ukraine in December 2015, leaving 250,000 households without power. That's where the similarities end, though, according to ESET.

Advertisement - Article continues below

ESET has found and analysed samples of an unrelated malware, called Industroyer, that could have caused the type of damage seen in the 2016.

Whereas BlackEnergy attack used legitimate remote access software to control operators' workstations, cutting off power, Industroyer is capable of controlling electricity substation switches and circuit breakers directly. Technically, the potential impact of the of the malware ranges from simply turning off the power supply to cascading failures and serious physical damage to equipment.

Worryingly, the communication protocols it takes advantage of aren't unique to the Ukrainian energy grid, but are in fact used worldwide not just in power supply infrastructure, but also in critical systems like transport, water and gas.

Advertisement
Advertisement - Article continues below

"Industroyer's dangerousness lies in the fact that it uses protocols in the way they were designed to be used," said Anton Cherepanov, senior malware researcher at ESET, in a blog post."The problem is that these protocols were designed decades ago, and back then industrial systems were meant to be isolated from the outside world.

Advertisement - Article continues below

"Thus, their communication protocols were not designed with security in mind. That means that the attackers didn't need to be looking for protocol vulnerabilities; all they needed was to teach the malware 'to speak' those protocols."

He added: "While in principle it's difficult to attribute attacks to malware without performing an on-site incident response, it's highly probable that Industroyer was used in the December 2016 attack on the Ukrainian power grid. On top of the fact that the malware clearly possesses the unique capabilities to perform the attack, it contains an activation timestamp for 17 December, 2016, the day of the power outage."

Following the disclosure by ESET of its research into Industroyer, Terry Ray, chief product strategist at Imperva, said: "We are beginning to see an uptick in infrastructure attacks and in the case of Industroyer, the attackers seem to have extensive knowledge about industrial control protocols.

"While these attackers seem to be content to disrupt the system, it's not outside the realm of possibility that they could take things a step further and inflict damage to the systems themselves. While ICS [industrial control systems] are used heavily in energy and water, both certainly critical infrastructure, it is also used in large scale automation, which can include, manufacturing, shipping, aerospace and other industries that should also take note of such exploits."

Main image credit: Bigstock

Advertisement

Recommended

Visit/security/malware/355093/evasive-malware-threats-are-surging
malware

Evasive malware threats doubled in 2019

24 Mar 2020
Visit/security/malware/28083/the-five-best-free-malware-removal-tools
Security

Best free malware removal tools 2019

2 Mar 2020
Visit/antivirus/28144/best-antivirus
antivirus

Best antivirus for Windows 10

3 Sep 2019

Most Popular

Visit/development/application-programming-interface-api/355192/apple-buys-dark-sky-weather-app-and-leaves
application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
Visit/mobile/mobile-phones/355239/microsofts-patent-design-reveals-a-mobile-device-with-a-third-screen
Mobile Phones

Microsoft’s patent design reveals a mobile device with a third screen

6 Apr 2020
Visit/data-insights/data-management/355170/oracle-cloud-courses-are-free-during-coronavirus-lockdown
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020