Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Reveal Malware Designed To 'Power Down' Electric Grid (securityledger.com)

Posted by BeauHD on from the powering-down dept.

chicksdaddy writes: A sample of malicious software discovered at the site of a December, 2016 cyber attack on Ukraine's electrical grid is a previously unknown program that could be capable of causing physical damage to the electrical grid, according to reports by two security firms. The Security Ledger reports: "Experts at the firm ESET and Dragos Security said on Monday that the malicious software, dubbed CrashOverride (Dragos) or Industroyer (ESET) affected a 'single transmission level substation' in the Ukraine attack on December 17th, 2016 in what appears to have been a test run. Still, experts said that features in the malware show that adversaries are automating and standardizing what were previously manual attacks against critical infrastructure, while also adding features that could be used to physically disable or damage critical systems -- the first evidence of such activity since the identification of the Stuxnet malware in 2010. The Crash Override malware 'took an approach to understand and codify the knowledge of the industrial process to disrupt operations as STUXNET (sp) did,' wrote Dragos Security in a report. The malware improves on features seen in other malicious software that it knows to target industrial control systems. Specifically, the malware makes use of and manipulates industrial control system-specific communications protocols. That's similar to features in ICS malware known as Havex that targeted grid operators in Europe and the United States in 2014. The Crash Override malware also targeted the libraries and configuration files of so-called 'Human Machine Interfaces' (or HMIs) to understand the environment they have infected. It can use HMIs, which provide a graphical interface for managing industrial control system equipment, to connect spread to other Internet connected equipment and systems, Dragos said."

42 comments

  1. take down 9 take the full grid down! by Joe_Dragon · · Score: 1

    http://spectrum.ieee.org/energ...

  2. Putin at work, once again by Anonymous Coward · · Score: 3, Insightful

    No doubt Putin's team of state hackers are behind this. Part of his plan to reconquer all former soviet republics.

    Now watch the filthy little payed russian shills downmod this post down to hell, as it always happens anytime Putin or Russia are mentionned on Slashdot,

    1. Re:Putin at work, once again by Anonymous Coward · · Score: 1

      I modded you down.

      Where's my fucking check, then, asshole?

    2. Re:Putin at work, once again by Anonymous Coward · · Score: 0, Troll

      I would have modded you funny. That's what you hysterically sore loser democrats really are! And you give the Russians too much credit. The western alliance has just as much to gain from this little tool.

    3. Re:Putin at work, once again by Anonymous Coward · · Score: 0

      I modded you down.

      Where's my fucking check, then, asshole?

      You didn't fill the quota for the month dickhead.

    4. Re:Putin at work, once again by Anonymous Coward · · Score: 0

      Tovarish, the check is in the mail.
      Please have patience. We can't (re)build communism in one year.

      All hail Putin.
      DisInformation Bureau

                       

    5. Re:Putin at work, once again by Anonymous Coward · · Score: 0

      Wow! The Washington Post is here, at Slashdot!! Made the big time. That's soooo coooooool. Not as cool as fighting xenophobia with xenophobia, but pretty close.

  3. Power Down by tquasar · · Score: 3, Informative

    I live in southern California and there are two major electric lines, one from the east and the other from the north. Damage to either would be likely and due to their remote location, there would be a six or eight hour drive from the nearest place that might have any repair ability. There's no power to pump fuel from underground tanks so how can any agency respond. Add an earthquake to the scene....

    1. Re:Power Down by Anonymous Coward · · Score: 1, Funny

      Dude, not to worry, you're in SoCal. Arnold Schwarzenegger, Sylvester Stallone, Bruce Willis, Nicholas Cage, Clint Eastwood, Jason Statham, Harrison Ford, Dwayne Johnson, Denzel Washington, and the rest all live like blocks from here. These dudes can us out of anything.

  4. What I find surprising by SCVonSteroids · · Score: 3, Interesting

    Maybe I'm being too critical of everything these days but I find it surprising that these sort of things are even news. Shouldn't it be expected even before its inception that people are going to try and fuck with important things if they can? ESPECIALLY when they can do it anonymously?

    I think I need to escape to the woods, and fucking soon, for a long time.

    --
    I tend to rant.
  5. The question at hand: by Gravis+Zero · · Score: 3, Insightful

    Why the fuck are these systems connected to the internet?

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:The question at hand: by KiloByte · · Score: 3, Informative

      From a technical point of view, only because it was more convenient and less costly.

      But the real reason is, in almost all countries this tends to be "good enough" as no one will dare to attack you -- even if the attack itself can be easily anonymized, "cui bono" makes the attacker obvious (and a false flag operation would be pretty risky).

      Except for Ukraine -- a country with a big powerful enemy it's currently at war with, and has no friends. It's beyond obvious who wants to destroy their power grid, but at this moment Russia has no real downside in revealing their hand. Thus, this is a show of strength.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    2. Re:The question at hand: by SCVonSteroids · · Score: 3, Interesting

      My musings on it:

      At the time, the engineers were cocky and thought nobody would be able to fuck with it. Maybe at the time they were correct. Current engineers see the problem, but the solution costs too much so everyone just wishes it would go away and don't talk about it too much. I've never had much fun trying to explain something super technical (but super important) to someone who was stressed out and knew fuck all of what I was talking about (but occupied a role of higher power, yeah I'm talking about managers, OK?).

      Fortunately, we've all been able to sit back and enjoy corporations falling prey to this kind of thought process, but someday, they'll hit just the right target where it'll cause real damage. I'm not talking the kind of damage where some exec. can't refurbish his yacht, and formulates some kind of propaganda with his friends to make it so he can. I'm talking the kind of damage where civilization grinds to a halt, and mass panic ensues.

      --
      I tend to rant.
    3. Re:The question at hand: by Strider- · · Score: 4, Informative

      That's the thing, they don't have to be to be a problem. That was the ingenious thing with Stuxnet... It had two parts, the worm that infected internet connected hosts, and the thumbdrive vector that allowed it to jump the air gap. It's entirely likely that it originated with infected thumb drives that were dropped in parking lots/buses/etc... frequented by the Engineers working on Iran's nuclear programme. People being people, they stuck the thumb drives into their machines, on either side of the air gap, and then the worm spread through the isolated side of the network, infecting the PLCs driving their centrifuges.

      That said, I operate the network for an organization that has their own private power system (small hydro-electric system isolated from the main grid). As much as I would like to physically isolate our power control network from our main operational network, it's unfortunately not practical. Instead the main control of the turbines, exciters, generators and such is strongly firewalled, and then the load shedding components in the rest of the campus are on an isolated VLAN. There is additional protection through strategic use of VRFs and the like. Is it perfect? no, but it's the best I can do.

      --
      ...si hoc legere nimium eruditionis habes...
    4. Re: The question at hand: by Anonymous Coward · · Score: 0

      Thanks for letting us all know that.

    5. Re:The question at hand: by dbIII · · Score: 3, Interesting

      At the time, the engineers were cocky and thought nobody would be able to fuck with it. Maybe at the time they were correct.

      You are incorrect.
      Back in the day we wanted either a total air gap (which we used to have) or dedicated secure networks like the banks were using. Management just about everywhere didn't like that and went shopping for consultants that gave them a cheap answer and they didn't care if the consultants knew what they were talking about or not. Various trade magazines at the time had a lot about the fuss and potential consequences but were ignored.
      Don't blame the engineers for a policy decision that they argued against.
      As for "Current engineers see the problem" - have you SEEN the IoT security clusterfucks in progress? Over the weekend there was an article about one here, poor defaults on the Raspberry Pi causing problems. There is definitely no reason to be smug and certainly no reason to feel superior.

    6. Re:The question at hand: by Gravis+Zero · · Score: 2

      But the real reason is, in almost all countries this tends to be "good enough" as no one will dare to attack you -- even if the attack itself can be easily anonymized, "cui bono" makes the attacker obvious (and a false flag operation would be pretty risky).

      The problem is that this is no longer true due to the threat that climate change poses. Every person on this planet now has cause to disrupt operations at the vast majority of the world's power plants. The most disruptive they are to a polluting power plant/company, the greater the monetary incentive to use non-polluting energy sources or people to go off-grid with solar and battery systems. Now that attacks have been shown to be quiet feasible, they could be coming to every polluting plant, everywhere.

      --
      Anons need not reply. Questions end with a question mark.
    7. Re: The question at hand: by Anonymous Coward · · Score: 1

      I want some of what you're smoking.

      The vast majority of environmentalists think that they are only using green electrons to make their frappaccinos and recharge their iPhones, and it's those capitalists who are using all the dirty electrons to watch their NASCAR and run their air conditioners. It's always some else causing the problem.

    8. Re:The question at hand: by AHuxley · · Score: 1

      In the USA?
      Nobody wants to pay for union workers to turn up to work and watch over equipment in their state. Just have an engineer do it from a more central location.
      The selling of the upgrade hardware for the network.
      The renting and selling for later upgrades, security and more networking.
      Teaching staff how to use the new systems.

      --
      Domestic spying is now "Benign Information Gathering"
    9. Re: The question at hand: by Anonymous Coward · · Score: 2, Informative

      In the old days, I.e. Before 1994 when most of the US deregulated, a utility company could gold plate their EMS SCADA and pass all the costs on to us residential consumers in the name of reliability services. Once they had to compete, you start seeing cost saving measures like VPN arrive, and yes, there was a time when one would say Why Is this on the Internet?!? The 2001 terrrorist attack led to CEII rules, but people were getting complacent by 2007. The DOE ran a project called Aurora that scared the crap out of utility companies, partly so they could get the industry to adopt hardening standards and government oversight. Today, there is a mix of access technologies, whitelisted firewalls with multi factor auth, but also an awareness of attack vectors through phishing and social engineering. Why crack a system when an employee could carry the payload into the complex?

    10. Re:The question at hand: by AHuxley · · Score: 2

      Back in the day sites had a fence, some guard on duty and workers knew to look out for anyone who was wondering around.
      Todays networked engineers replaced the union staff.
      Networks span services that should never have been opened to the outside "internet" just to save costs, for investment and free trade in upgrades or so shareholders could feel good.

      --
      Domestic spying is now "Benign Information Gathering"
    11. Re:The question at hand: by Mr+D+from+63 · · Score: 1

      Why the fuck are these systems connected to the internet?

      What systems are you talking about? In the US, systems that control grid infrastructure are not connected to the internet. Maybe there are a few countries left where that isn't true, but just because malware extsts doesn't mean the target is vulnerable.

    12. Re:The question at hand: by SuricouRaven · · Score: 2

      The Pi issue wasn't about poor defaults: It was about the designers making the assumption, which turned out to be wrong, that every user would know the importance of changing the password before putting their device on the internet. It turns out that even for the more technically-minded people who would usually buy a pi, a lot of them are completely ignorant of the most basic of security practices.

    13. Re:The question at hand: by Gravis+Zero · · Score: 1

      In the US, systems that control grid infrastructure are not connected to the internet.

      Oh how little you know.

      --
      Anons need not reply. Questions end with a question mark.
    14. Re:The question at hand: by chicksdaddy · · Score: 1

      agreed

    15. Re:The question at hand: by gtall · · Score: 1

      Because any company who runs electric infrastructure has parts of it scattered geographically about. Modern grids have at least two "networks", the power network you see as transmission lines, and the control gird used to integrate the pieces as it is impossible to run them efficiently or probably at all as autonomous pieces. SneakerNet is not an option.

      So, you can set up your own network and be on the hook for its maintenance, as it too will have maintenance issues, or you can piggyback off the internet. Running a network is expensive and you must find the right people and pay them well enough to keep institutional knowledge of how it all works. You'll also be wanting to recruit new people as older ones retire, and keep your workforce up to speed on the latest technology. That alone will not prevent attacks as your network can get tapped into just as the internet can. All it takes it getting access to some of the equipment at remote sites. So you'll be wanting to implement guards against that...just like you should do if you are piggybacking. Oh, and since you have your own network, it is essentially a one-off, able to generate new and never before seen problems.

      That said, grid infrastructure companies could do a lot more to harden their stuff.

    16. Re:The question at hand: by chicksdaddy · · Score: 2

      Interesting. Which trade mags are worth a look/read? Interested to see if this (now historical) debate play out publicly in any way.

    17. Re:The question at hand: by SCVonSteroids · · Score: 1

      Hah it's funny cause I was thinking to actually log on last night to reply to my comment, bashing myself about how cynical that was towards a group of people who, in general, definitely don't get cocky, and for sure don't exercise their "I don't care" muscles very often either. Apologies, I've been on rant mode as of late.

      I have HEARD of the "IoT security clusterfuck in progress". I think anyone who has access to the internet would have. Knowledge of what IoT even is or not.
      My stance? I don't honestly care. Would rather go out and live in the woods. Thanks for taking time from your day to make me look like an asshole on the internet though!

      --
      I tend to rant.
    18. Re:The question at hand: by Gravis+Zero · · Score: 1

      You write as if M2M communications is a brand new thing.

      --
      Anons need not reply. Questions end with a question mark.
    19. Re:The question at hand: by dbIII · · Score: 1

      The EPRI stuff and Engineers Australia were the ones I remember but IEEE are likely to have had something.
      It was all completely obvious stuff anyway.

    20. Re:The question at hand: by Anonymous Coward · · Score: 0

      thx

    21. Re:The question at hand: by plover · · Score: 1

      I still wonder if the "jumping the air gap" capability of Stuxnet was added as a diversion to protect an inside agent at Natanz. It seems like a sketchy plan to rely on someone inserting an infected USB stick into the isolated network. Instead, they may have had an anti-war sympathizer on the inside who didn't want to be a part of weaponizing their uranium, and who agreed to insert the stick as long as it couldn't be traced back to them.

      Remember, the Stuxnet operation had to cross the air gap three times. The first time was to load recon software onto the target to map out the SCADA network. They had to identify, count, and map out the variable frequency controllers; the various devices and sensors that were later spoofed; the controller, everything. Once installed, the recon software was going to require some time to perform its activity. Next, once the data had been gathered, it had to be exfiltrated from the isolated network, which required a reverse hop across the air gap. Then, the team had to study the map and build the targeting software - Stuxnet was crafted specifically to attack only this exact network, and it did so by looking for a set of very specific device signatures on it - more than 5 arrays of more than 32 high-speed variable frequency controllers, etc. Building and testing this software undoubtedly took some amount of time, during which the malware would have been sitting idle, and would have been at risk of detection. Finally, deploying the attack software required a third trip across the air gap.

      To me, Stuxnet was too big to gamble its success on someone "accidentally" inserting an infected USB stick back and forth across the gap three different times. I suppose if they had knowledge that their procedure was "make configuration changes on system A every Monday, copy it to USB stick marked 'Secure USB stick, Air Gap Only!', test changes on system B on Tuesday, insert into system C on production network on Wednesday", they might have been able to leverage that kind of cycle. But nobody has publicly provided documentation on how crossing the USB gap occurred.

      Hmm. Now that I think about it even more, it's possible that the recon could have been done by copying the production SCADA configuration information from an engineer's workstation on the outside of the air-gapped network. That would reduce the need for the air gap to a single trip, but it would be risky: how would you be certain that you're looking at an exact map of production, and not someone's simulated network for testing purposes? One mistake and the attack would be a dud; it's so complex that you're not going to get a lot of second chances.

      --
      John
    22. Re:The question at hand: by Mr+D+from+63 · · Score: 1

      Oh how much you think you know. Anybody who can read English should read the regulations first instead of just assuming. NERC and FERC have long ago mandated isolation of such control systems, and enforcement has been thorough.

      So, how much do you really know?

    23. Re:The question at hand: by Anonymous Coward · · Score: 0

      deeply sorry for seeing this apparently knowledgeable post rated 2...

  6. Stupid Admins by Anonymous Coward · · Score: 0

    People who think allowing these networks to be accessed from the internet at large are stupid. Whats worse is there are trivial ways to secure these things. My 11yo knows how to secure a damn network better then these people. There is no excuse good enough that it has not been done.

    1. Re:Stupid Admins by 0111+1110 · · Score: 1

      People who think allowing these networks to be accessed from the internet at large are stupid.

      Actually that is probably the point of this malware. To demonstrate how stupid it is. And yes it is stupid as well as arrogant.

      --
      Quite an experience to live in fear, isn't it? That's what it is to be a slave.
  7. Crash Override? by Anonymous Coward · · Score: 0

    Now I'm expecting to see Acid Burn somewhere...
    https://en.wikipedia.org/wiki/Hackers_(film)#Plot

    CYA

  8. To solve, hold the Cxx's personably responsible by Snotnose · · Score: 1

    Right now they are focused on the next quarter. How about we say "Hey, if hackers screw you then we'll screw your life with prison terms and heavy fines".

    Somehow I think the focus will shift pretty quickly.

  9. It was no hackers by nospam007 · · Score: 2

    It was that maintenance guy from British Airways.

  10. Insert cyber BS .. by najajomo · · Score: 1

    "The CIA's Remote Devices Branch's UMBRAGE group collects and maintains a substantial library of attack techniques 'stolen' from malware produced in other states including the Russian Federation.

    With UMBRAGE and related projects the CIA cannot only increase its total number of attack types but also misdirect attribution by leaving behind the "fingerprints" of the groups that the attack techniques were stolen from." link

  11. Font too small to be read comfortably by Anonymous Coward · · Score: 0

    On stylo 2