Newly identified malware dubbed CrashOverride is the "first ever" malware framework designed to attack the electric grid and was used to de-energize a Ukrainian transmission substation in December 2016, security firm Dragos Inc. reported June 12.
Although cyber adversaries could employ the malware in the future to destabilize electric grids, including in North America, Dragos said "the defense is doable" and that any resulting power outages would likely last hours or maybe days rather than weeks.
Slovakian anti-virus firm ESET notified Dragos on June 8 of the malware, which is tailored to manipulate industrial control systems, or ICS. Dragos then confirmed that CrashOverride was the first malware framework designed and deployed to attack electric grids. The June 12 report showed "high confidence" that the malware helped take down a transmission substation in Ukraine on Dec. 17, 2016, an event attributed to cyber attackers with ties to another Ukraine grid hack a year prior. Dragos said the malware can also be modified to affect the North American electric grid.
"CrashOverride represents an evolution in tradecraft and capabilities by adversaries who wish to do harm to industrial environments," the report said.
The December 2016 cyberattack in Ukraine only affected a single substation, but the CrashOverride malware is sophisticated and could allow adversaries to attack grid operations systems in "various environments" and on multiple vendor platforms, Dragos said.
The cyberattackers leveraged lessons from other malware affecting energy and industrial systems. CrashOverride was designed to understand and codify knowledge of industrial processes to disrupt operations, similar to the Stuxnet virus that destroyed nuclear centrifuges in Iran. Like the "Blackenergy 2" malware, CrashOverride targeted the libraries and configuration files of human machine interfaces and used them to link to internet-connected locations. And as with the Ukraine cyberattack of 2015, the malware attempted to understand grid operations and allow attackers to leverage a company's ICS against themselves.
But even if CrashOverride were leveraged at multiple sites simultaneously, Dragos said the scenario "is not cataclysmic and would result in hours, potentially a few days, of outages, not weeks or more." Humans employing an "active defense," such as hunting and responding internally to the ICS networks, "can ensure that security is maintained," according to the firm.
Security experts have blamed Russian cyber agents for the Ukraine grid attack of 2015, but Russia has not accepted responsibility for the event. Dragos tracked the adversary group behind the CrashOverride malware by the name Electrum and said it was confident through confidential sources that Electrum has "direct ties" to the Sandworm team that organized the December 2015 grid attack in Ukraine.
The North American Electric Reliability Corp. said June 12 that it was aware of the vulnerability and that no instances of the malware were reported in North America. NERC is developing a Level 1 alert that the not-for-profit international regulatory authority will share as soon as possible. In addition, the Electricity Information Sharing and Analysis Center, the electric power sector's main security communications channel, has provided information on the matter via its secure portal.