‘Crash Override’: The Malware That Took Down a Power Grid

In Ukraine, researchers have found the first real-world malware that attacks physical infrastructure since Stuxnet.
Image may contain Musical Instrument Piano Leisure Activities and Wood
Getty Images

At midnight, a week before last Christmas, hackers struck an electric transmission station north of the city of Kiev, blacking out a portion of the Ukrainian capital equivalent to a fifth of its total power capacity. The outage lasted about an hour---hardly a catastrophe. But now cybersecurity researchers have found disturbing evidence that the blackout may have only been a dry run. The hackers appear to have been testing the most evolved specimen of grid-sabotaging malware ever observed in the wild.

Cybersecurity firms ESET and Dragos Inc. plan today to release detailed analyses of a piece of malware used to attack the Ukrainian electric utility Ukrenergo seven months ago, what they say represents a dangerous advancement in critical infrastructure hacking. The researchers describe that malware, which they’ve alternately named “Industroyer” or “Crash Override,” as only the second-ever known case of malicious code purpose-built to disrupt physical systems. The first, Stuxnet, was used by the US and Israel to destroy centrifuges in an Iranian nuclear enrichment facility in 2009.

The researchers say this new malware can automate mass power outages, like the one in Ukraine’s capital, and includes swappable, plug-in components that could allow it to be adapted to different electric utilities, easily reused, or even launched simultaneously across multiple targets. They argue that those features suggest Crash Override could inflict outages far more widespread and longer lasting than the Kiev blackout.

“The potential impact here is huge,” says ESET security researcher Robert Lipovsky. “If this is not a wakeup call, I don’t know what could be.”

The adaptability of the malware means that the tool poses a threat not just to the critical infrastructure of Ukraine, researchers say, but to other power grids around the world, including America's. “This is extremely alarming for the fact that nothing about it is unique to Ukraine,” says Robert M. Lee, the founder of the security firm Dragos and a former intelligence analyst focused on critical infrastructure security for a three-letter agency he declines to name. “They’ve built a platform to be able to do future attacks.”

Blackout

Last December's outage was the second time in as many years that hackers who are widely believed—but not proven—to be Russian have taken down elements of Ukraine's power grid. Together, the two attacks comprise the only confirmed cases of hacker-caused blackouts in history. But while the first of those attacks has received more public attention than the one that followed, the new findings about the malware used in that latter attack show it was far more than a mere rerun.

Instead of gaining access to the Ukrainian utilities’ networks and manually switching off power to electrical substations, as hackers did in 2015, the 2016 attack was fully automated, the ESET and Dragos researchers say. It was programmed to include the ability to “speak” directly to grid equipment, sending commands in the obscure protocols those controls use to switch the flow of power on and off. That means Crash Override could perform blackout attacks more quickly, with far less preparation, and with far fewer humans managing it, says Dragos’ Rob Lee.

“It’s far more scalable,” Lee says. He contrasts the Crash Override operation to the 2015 Ukraine attack, which he estimates required more than 20 people to attack three regional energy companies. “Now those 20 people could target ten or fifteen sites or even more, depending on time.”

Like Stuxnet, attackers could program elements of Crash Override to run without any feedback from operators, even on a network that’s disconnected from the internet---what Lee describes as a "logic bomb" functionality, meaning it could be programmed to automatically detonate at a preset time. From the hacker’s point of view, he adds, “you can be confident it will cause disruption without your interaction.”

Neither of the two security companies knows how the malware initially infected Ukrenergo. (ESET, for its part, notes that targeted phishing emails enabled the necessary access for the 2015 blackout attack, and suspects the hackers may have used the same technique a year later.) But once Crash Override has infected Windows machines on a victim's network, researchers say, it automatically maps out control systems and locates target equipment. The program also records network logs that it can send back to its operators, to let them learn how those control systems function over time.

From that point, researchers say, Crash Override could launch any of four "payload" modules, each of which communicates with grid equipment via a different protocol. In its December attack on Ukrenergo, it used protocols common to Ukraine, according to Lee's analysis. But the malware's swappable component design means it could have easily adapted to protocols more commonly used elsewhere in Europe or in the United States, downloading new modules on the fly if the malware can connect to the internet.

Aside from that adaptability, the malware can also comprehensively destroy all files on systems it infects, to cover its tracks after an attack is completed.

Physical Damage?

Another disturbing but less understood feature of the program, according to ESET, suggests an extra capability that hackers could potentially use to cause physical damage to power equipment. ESET's researchers say one aspect of the malware exploits a known vulnerability in a piece of Siemens equipment known as a Siprotec digital relay. The Siprotec device gauges the charge of grid components, sends that information back to its operators, and automatically opens circuit breakers if it detects dangerous power levels. But by sending that Siemens device a carefully crafted chunk of data, the malware could disable it, leaving it offline until it's manually rebooted. (Dragos, for its part, couldn't independently confirm that the Siemens attack was included in the malware sample they analyzed. A Siemens spokesperson points to a firmware update the company released for its vulnerable Siprotec devices in July of 2015, and suggests that owners of the digital relays patch them if they haven't already.)1

That attack might be intended to merely cut off access to circuit breakers after the malware opens them, preventing the operators from easily turning the power back on, says Mike Assante, a power grid security expert and instructor at the SANS Institute. But Assante, who in 2007 led a team of researchers that showed how a massive diesel generator could be physically and permanently broken with only digital commands, says the Siprotec attack might also have a more destructive function. If attackers used it in combination with overloading the charge on grid components, it could prevent the kill-switch feature that keeps those components from overheating, damaging transformers or other equipment.

Assante cautions the Siprotec attack still requires further analysis to better understand it, but still sees the potential as cause enough for concern.

"This is definitely a big deal," says Assante. "If it’s possible to disable the digital relay, you risk thermal overload to lines. That can cause lines to sag or melt, and can damage transformers or equipment that's in line and energized."

ESET argues that Crash Override could go even further, causing physical destruction by carrying out a well-crafted attack on multiple points in a power grid. Taking down elements of a grid en masse could cause what they describe as a "cascading" outage, in which a power overload spills over from one region to another to another.

Uncertain Scope

Neither ESET nor Dragos was willing to say with any certainty who might have created the malware, but Russia looms as the likely suspect. For three years, a sustained series of cyberattacks has bombarded Ukraine's government agencies and private industry alike. The timing of those attacks coincides with Russia’s invasion of Ukraine’s Crimean peninsula and its eastern region, known as Donbass. Earlier this year, Ukrainian president Petro Poroshenko declared in a speech following the second blackout that the attacks were performed with the “direct or indirect involvement of secret services of Russia, which have unleashed a cyberwar against our country.” Other researchers at Honeywell and Kiev-based Information Systems Security Partners have already argued that the 2016 blackout was likely perpetrated by the same hackers as the 2015 attack, which has been widely linked to a hacker group known as Sandworm and believed to have originated in Russia. On Monday, Dragos noted that it believes with "high confidence" that the Crash Override attack was the work of Sandworm, too, but didn't offer details of exactly how it came to that conclusion.

Despite Crash Override's dangerous capabilities and suspected Russian links, US and European grid operators still shouldn't panic about automated power-killing cyberattacks, Dragos' Lee argues.

He notes that unlike Stuxnet, the malware Dragos and ESET analyzed doesn't contain any apparent "zero-day" exploit for spreading or infiltrating new networks. While ESET warns that Crash Override could be adapted to affect other types of critical infrastructure like transportation, gas lines, or water facilities, Lee argues that would require rewriting other parts of the code beyond its modular components. And he points out that if power-grid operators closely monitor their control system networks---most around the globe likely don't, he says---they should be able to spot the malware's noisy reconnaissance scans before it launches its payloads. "It sticks out like a sore thumb," Lee says.

Still, none of that should leave US grid officials complacent. The malware that attacked Kiev's grid has turned out to be more sophisticated, adaptable, and dangerous than the cybersecurity community had imagined. And those features suggest that it's not going away. "In my analysis, nothing about this attack looks like it’s singular," Lee concludes. "The way it’s built and designed and run makes it look like it was meant to be used multiple times. And not just in Ukraine."

1Updated 6/13/2016 12:00 EST to include a response from Siemens.