How Industroyer could damage the world's power grids

Ukraine's 2016 blackout was likely caused by this malware, claim researchers

Security researchers at ESET have uncovered a type of malware that could have caused the 2016 blackout in the Ukrainian capital, Kiev.

In mid-December last year, a cyberattack caused damage to a substation in the northern part of the city, which caused the blackout in that area.

The attack took place exactly one year after the major blackout caused by the malware BlackEnergy that hit many regions across Ukraine in December 2015, leaving 250,000 households without power. That's where the similarities end, though, according to ESET.

Advertisement - Article continues below

ESET has found and analysed samples of an unrelated malware, called Industroyer, that could have caused the type of damage seen in the 2016.

Whereas BlackEnergy attack used legitimate remote access software to control operators' workstations, cutting off power, Industroyer is capable of controlling electricity substation switches and circuit breakers directly. Technically, the potential impact of the of the malware ranges from simply turning off the power supply to cascading failures and serious physical damage to equipment.

Worryingly, the communication protocols it takes advantage of aren't unique to the Ukrainian energy grid, but are in fact used worldwide not just in power supply infrastructure, but also in critical systems like transport, water and gas.

Advertisement
Advertisement - Article continues below

"Industroyer's dangerousness lies in the fact that it uses protocols in the way they were designed to be used," said Anton Cherepanov, senior malware researcher at ESET, in a blog post."The problem is that these protocols were designed decades ago, and back then industrial systems were meant to be isolated from the outside world.

Advertisement - Article continues below

"Thus, their communication protocols were not designed with security in mind. That means that the attackers didn't need to be looking for protocol vulnerabilities; all they needed was to teach the malware 'to speak' those protocols."

He added: "While in principle it's difficult to attribute attacks to malware without performing an on-site incident response, it's highly probable that Industroyer was used in the December 2016 attack on the Ukrainian power grid. On top of the fact that the malware clearly possesses the unique capabilities to perform the attack, it contains an activation timestamp for 17 December, 2016, the day of the power outage."

Following the disclosure by ESET of its research into Industroyer, Terry Ray, chief product strategist at Imperva, said: "We are beginning to see an uptick in infrastructure attacks and in the case of Industroyer, the attackers seem to have extensive knowledge about industrial control protocols.

"While these attackers seem to be content to disrupt the system, it's not outside the realm of possibility that they could take things a step further and inflict damage to the systems themselves. While ICS [industrial control systems] are used heavily in energy and water, both certainly critical infrastructure, it is also used in large scale automation, which can include, manufacturing, shipping, aerospace and other industries that should also take note of such exploits."

Main image credit: Bigstock

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement

Recommended

Visit/mobile/google-android/356373/over-2-dozen-additional-android-apps-found-stealing-user-data
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020
Visit/antivirus/28144/best-antivirus
antivirus

Best antivirus for Windows 10

30 Jun 2020
Visit/security/hacking/356152/searching-for-a-new-job-that-linkedin-job-offer-may-be-fake
hacking

Searching for a new job? That LinkedIn job offer may be fake

19 Jun 2020
Visit/security/malware/355093/evasive-malware-threats-are-surging
malware

Evasive malware threats doubled in 2019

24 Mar 2020

Most Popular

Visit/business-strategy/careers-training/356422/ibm-job-ad-calls-for-12-year-experience-with-6-year-old
Careers & training

IBM job ad calls for 12-years of experience with six-year-old Kubernetes

13 Jul 2020
Visit/business/business-operations/356395/nvidia-overtakes-intel-as-most-valuable-us-chipmaker
Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020
Visit/security/cyber-attacks/356417/trump-confirms-cyber-attacks-on-russia-election-trolls
cyber attacks

Trump confirms US cyber attack on Russia election trolls

13 Jul 2020