What if the attack on the Kiev power station last Christmas which killed power to a goodly chunk for the city was just a dry run? For what?
Security researchers at ESET and Dragos analyzed the malware used in the attack and say it represents a dangerous advancement in attacks on critical infrastructure.
Like Stuxnet before it, it was purpose built to damage industrial control systems.
The system, called Crash Override or Industroyer, is modular with the ability to swap in and out modules, depending on the particulars of the system they are attacking.
This version of the software knows how to directly talk to the hardware that controls the power grid, rather than attacking the workstations that manage the grid. Given that it is modular, the attackers could configure it with particular attacks based on the control systems a particular plant uses.
By damaging the hardware, the attack would be much more difficult to recover from. If the controls don’t respond, then engineers would need to go directly to the substations to try and recover. Assuming there is a way to do that. At some stations, there are no manual overrides, just automation. Damage could mean that you have to reboot the hardware. OR, it might mean that you have to replace the hardware. That is what we saw in Ukraine. Depending on how much damage it does it could take time to recover.
The North American Electric Reliability Corporation or NERC has been working very actively with the utility industry to make it more resilient to attacks, but as the industry gets better, so do the attackers, so it is not a simple problem to solve.
This malware is also more automated than the software used in the 2015 Ukraine attack. That attack took 20 people to attack 3 companies. Experts say that with this new software that same team could attack ten or fifteen targets – or more.
Unlike Stuxnet, which is believed to be the work of Israel and the United States, this malware is thought to have come from Russian hackers.
The researchers note that this does not spell the end of humanity – although grid operators should be concerned. They say that the malware is very “noisy”, meaning that it is not subtle as it tries to map out the network it is attacking. If operators are watching their network, they will see the attack early, hopefully before it can do much damage. Stay tuned. Could Russia attempt to launch an attack in the U.S.? Sure, its possible. Could they try to attack more than one part of the grid at once? Also possible. Would they succeed? That is the real question. One that we don’t know the answer to.
Information for this post came from Wired.