How Industroyer could damage the world's power grids

Ukraine's 2016 blackout was likely caused by this malware, claim researchers

Security researchers at ESET have uncovered a type of malware that could have caused the 2016 blackout in the Ukrainian capital, Kiev.

In mid-December last year, a cyberattack caused damage to a substation in the northern part of the city, which caused the blackout in that area.

The attack took place exactly one year after the major blackout caused by the malware BlackEnergy that hit many regions across Ukraine in December 2015, leaving 250,000 households without power. That's where the similarities end, though, according to ESET.

ESET has found and analysed samples of an unrelated malware, called Industroyer, that could have caused the type of damage seen in the 2016.

Advertisement
Advertisement - Article continues below

Whereas BlackEnergy attack used legitimate remote access software to control operators' workstations, cutting off power, Industroyer is capable of controlling electricity substation switches and circuit breakers directly. Technically, the potential impact of the of the malware ranges from simply turning off the power supply to cascading failures and serious physical damage to equipment.

Worryingly, the communication protocols it takes advantage of aren't unique to the Ukrainian energy grid, but are in fact used worldwide not just in power supply infrastructure, but also in critical systems like transport, water and gas.

"Industroyer's dangerousness lies in the fact that it uses protocols in the way they were designed to be used," said Anton Cherepanov, senior malware researcher at ESET, in a blog post."The problem is that these protocols were designed decades ago, and back then industrial systems were meant to be isolated from the outside world.

"Thus, their communication protocols were not designed with security in mind. That means that the attackers didn't need to be looking for protocol vulnerabilities; all they needed was to teach the malware 'to speak' those protocols."

He added: "While in principle it's difficult to attribute attacks to malware without performing an on-site incident response, it's highly probable that Industroyer was used in the December 2016 attack on the Ukrainian power grid. On top of the fact that the malware clearly possesses the unique capabilities to perform the attack, it contains an activation timestamp for 17 December, 2016, the day of the power outage."

Following the disclosure by ESET of its research into Industroyer, Terry Ray, chief product strategist at Imperva, said: "We are beginning to see an uptick in infrastructure attacks and in the case of Industroyer, the attackers seem to have extensive knowledge about industrial control protocols.

"While these attackers seem to be content to disrupt the system, it's not outside the realm of possibility that they could take things a step further and inflict damage to the systems themselves. While ICS [industrial control systems] are used heavily in energy and water, both certainly critical infrastructure, it is also used in large scale automation, which can include, manufacturing, shipping, aerospace and other industries that should also take note of such exploits."

Main image credit: Bigstock

Featured Resources

The essential guide to cloud-based backup and disaster recovery

Support business continuity by building a holistic emergency plan

Download now

Trends in modern data protection

A comprehensive view of the data protection landscape

Download now

How do vulnerabilities get into software?

90% of security incidents result from exploits against defects in software

Download now

Delivering the future of work - now

The CIO’s guide to building the unified digital workspace for today’s hybrid and multi-cloud strategies.

Download now
Advertisement

Recommended

Visit/malware/33080/hackers-abuse-linkedin-dms-to-plant-malware
malware

Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019
Visit/antivirus/28144/best-antivirus
antivirus

Best antivirus for Windows 10

3 Sep 2019
Visit/security/malware/28083/the-five-best-free-malware-removal-tools
Security

Best free malware removal tools 2019

8 Mar 2019

Most Popular

Visit/business-strategy/digital-transformation/354201/boston-dynamics-dog-like-robots-sniff-out-bombs-for
digital transformation

Boston Dynamics dog-like robots sniff out bombs for Massachusetts police

26 Nov 2019
Visit/business-strategy/mergers-and-acquisitions/354191/xerox-threatens-hostile-takeover-after-hp-rebuffs
mergers and acquisitions

Xerox threatens hostile takeover after HP rebuffs $30bn takeover

22 Nov 2019
Visit/security/data-breaches/354192/t-mobile-data-breach-affects-more-than-a-million-users
data breaches

T-Mobile data breach affects more than a million users

25 Nov 2019
Visit/mobile/google-android/354189/samsung-galaxy-a90-5g-review-simply-the-best-value-5g-phone
Google Android

Samsung Galaxy A90 5G review: Simply the best value 5G phone

22 Nov 2019