How Industroyer could damage the world's power grids

Ukraine's 2016 blackout was likely caused by this malware, claim researchers

Security researchers at ESET have uncovered a type of malware that could have caused the 2016 blackout in the Ukrainian capital, Kiev.

In mid-December last year, a cyberattack caused damage to a substation in the northern part of the city, which caused the blackout in that area.

The attack took place exactly one year after the major blackout caused by the malware BlackEnergy that hit many regions across Ukraine in December 2015, leaving 250,000 households without power. That's where the similarities end, though, according to ESET.

ESET has found and analysed samples of an unrelated malware, called Industroyer, that could have caused the type of damage seen in the 2016.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Whereas BlackEnergy attack used legitimate remote access software to control operators' workstations, cutting off power, Industroyer is capable of controlling electricity substation switches and circuit breakers directly. Technically, the potential impact of the of the malware ranges from simply turning off the power supply to cascading failures and serious physical damage to equipment.

Worryingly, the communication protocols it takes advantage of aren't unique to the Ukrainian energy grid, but are in fact used worldwide not just in power supply infrastructure, but also in critical systems like transport, water and gas.

"Industroyer's dangerousness lies in the fact that it uses protocols in the way they were designed to be used," said Anton Cherepanov, senior malware researcher at ESET, in a blog post."The problem is that these protocols were designed decades ago, and back then industrial systems were meant to be isolated from the outside world.

"Thus, their communication protocols were not designed with security in mind. That means that the attackers didn't need to be looking for protocol vulnerabilities; all they needed was to teach the malware 'to speak' those protocols."

He added: "While in principle it's difficult to attribute attacks to malware without performing an on-site incident response, it's highly probable that Industroyer was used in the December 2016 attack on the Ukrainian power grid. On top of the fact that the malware clearly possesses the unique capabilities to perform the attack, it contains an activation timestamp for 17 December, 2016, the day of the power outage."

Following the disclosure by ESET of its research into Industroyer, Terry Ray, chief product strategist at Imperva, said: "We are beginning to see an uptick in infrastructure attacks and in the case of Industroyer, the attackers seem to have extensive knowledge about industrial control protocols.

Advertisement - Article continues below

"While these attackers seem to be content to disrupt the system, it's not outside the realm of possibility that they could take things a step further and inflict damage to the systems themselves. While ICS [industrial control systems] are used heavily in energy and water, both certainly critical infrastructure, it is also used in large scale automation, which can include, manufacturing, shipping, aerospace and other industries that should also take note of such exploits."

Main image credit: Bigstock

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/malware/33080/hackers-abuse-linkedin-dms-to-plant-malware
malware

Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019
Visit/security/malware/28083/the-five-best-free-malware-removal-tools
Security

Best free malware removal tools 2019

23 Dec 2019
Visit/antivirus/28144/best-antivirus
antivirus

Best antivirus for Windows 10

3 Sep 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/security/cyber-security/354468/if-not-passwords-then-what
cyber security

If not passwords then what?

8 Jan 2020
Visit/policy-legislation/31772/gdpr-and-brexit-how-will-one-affect-the-other
Policy & legislation

GDPR and Brexit: How will one affect the other?

9 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020