Researchers Reveal Malware Designed To 'Power Down' Electric Grid

chicksdaddy writes: A sample of malicious software discovered at the site of a December, 2016 cyber attack on Ukraine's electrical grid is a previously unknown program that could be capable of causing physical damage to the electrical grid, according to reports by two security firms. The Security Ledger reports: "Experts at the firm ESET and Dragos Security said on Monday that the malicious software, dubbed CrashOverride (Dragos) or Industroyer (ESET) affected a 'single transmission level substation' in the Ukraine attack on December 17th, 2016 in what appears to have been a test run. Still, experts said that features in the malware show that adversaries are automating and standardizing what were previously manual attacks against critical infrastructure, while also adding features that could be used to physically disable or damage critical systems -- the first evidence of such activity since the identification of the Stuxnet malware in 2010. The Crash Override malware 'took an approach to understand and codify the knowledge of the industrial process to disrupt operations as STUXNET (sp) did,' wrote Dragos Security in a report. The malware improves on features seen in other malicious software that it knows to target industrial control systems. Specifically, the malware makes use of and manipulates industrial control system-specific communications protocols. That's similar to features in ICS malware known as Havex that targeted grid operators in Europe and the United States in 2014. The Crash Override malware also targeted the libraries and configuration files of so-called 'Human Machine Interfaces' (or HMIs) to understand the environment they have infected. It can use HMIs, which provide a graphical interface for managing industrial control system equipment, to connect spread to other Internet connected equipment and systems, Dragos said."

Putin at work, once again

No doubt Putin's team of state hackers are behind this. Part of his plan to reconquer all former soviet republics.

Now watch the filthy little payed russian shills downmod this post down to hell, as it always happens anytime Putin or Russia are mentionned on Slashdot,

Power Down

[tquasar]

I live in southern California and there are two major electric lines, one from the east and the other from the north. Damage to either would be likely and due to their remote location, there would be a six or eight hour drive from the nearest place that might have any repair ability. There's no power to pump fuel from underground tanks so how can any agency respond. Add an earthquake to the scene....

What I find surprising

[SCVonSteroids]

Maybe I'm being too critical of everything these days but I find it surprising that these sort of things are even news. Shouldn't it be expected even before its inception that people are going to try and fuck with important things if they can? ESPECIALLY when they can do it anonymously?

I think I need to escape to the woods, and fucking soon, for a long time.

The question at hand:

[Gravis+Zero]

Why the fuck are these systems connected to the internet?

Re:The question at hand:

[KiloByte]

From a technical point of view, only because it was more convenient and less costly.

But the real reason is, in almost all countries this tends to be "good enough" as no one will dare to attack you -- even if the attack itself can be easily anonymized, "cui bono" makes the attacker obvious (and a false flag operation would be pretty risky).

Except for Ukraine -- a country with a big powerful enemy it's currently at war with, and has no friends. It's beyond obvious who wants to destroy their power grid, but at this moment Russia has no real downside in revealing their hand. Thus, this is a show of strength.

Re:The question at hand:

[SCVonSteroids]

My musings on it:

At the time, the engineers were cocky and thought nobody would be able to fuck with it. Maybe at the time they were correct. Current engineers see the problem, but the solution costs too much so everyone just wishes it would go away and don't talk about it too much. I've never had much fun trying to explain something super technical (but super important) to someone who was stressed out and knew fuck all of what I was talking about (but occupied a role of higher power, yeah I'm talking about managers, OK?).

Fortunately, we've all been able to sit back and enjoy corporations falling prey to this kind of thought process, but someday, they'll hit just the right target where it'll cause real damage. I'm not talking the kind of damage where some exec. can't refurbish his yacht, and formulates some kind of propaganda with his friends to make it so he can. I'm talking the kind of damage where civilization grinds to a halt, and mass panic ensues.

Re:The question at hand:

[Strider-]

That's the thing, they don't have to be to be a problem. That was the ingenious thing with Stuxnet... It had two parts, the worm that infected internet connected hosts, and the thumbdrive vector that allowed it to jump the air gap. It's entirely likely that it originated with infected thumb drives that were dropped in parking lots/buses/etc... frequented by the Engineers working on Iran's nuclear programme. People being people, they stuck the thumb drives into their machines, on either side of the air gap, and then the worm spread through the isolated side of the network, infecting the PLCs driving their centrifuges.

That said, I operate the network for an organization that has their own private power system (small hydro-electric system isolated from the main grid). As much as I would like to physically isolate our power control network from our main operational network, it's unfortunately not practical. Instead the main control of the turbines, exciters, generators and such is strongly firewalled, and then the load shedding components in the rest of the campus are on an isolated VLAN. There is additional protection through strategic use of VRFs and the like. Is it perfect? no, but it's the best I can do.

Re:The question at hand:

[dbIII]

At the time, the engineers were cocky and thought nobody would be able to fuck with it. Maybe at the time they were correct.

You are incorrect.
Back in the day we wanted either a total air gap (which we used to have) or dedicated secure networks like the banks were using. Management just about everywhere didn't like that and went shopping for consultants that gave them a cheap answer and they didn't care if the consultants knew what they were talking about or not. Various trade magazines at the time had a lot about the fuss and potential consequences but were ignored.
Don't blame the engineers for a policy decision that they argued against.
As for "Current engineers see the problem" - have you SEEN the IoT security clusterfucks in progress? Over the weekend there was an article about one here, poor defaults on the Raspberry Pi causing problems. There is definitely no reason to be smug and certainly no reason to feel superior.

Re:The question at hand:

[Gravis+Zero]

But the real reason is, in almost all countries this tends to be "good enough" as no one will dare to attack you -- even if the attack itself can be easily anonymized, "cui bono" makes the attacker obvious (and a false flag operation would be pretty risky).

The problem is that this is no longer true due to the threat that climate change poses. Every person on this planet now has cause to disrupt operations at the vast majority of the world's power plants. The most disruptive they are to a polluting power plant/company, the greater the monetary incentive to use non-polluting energy sources or people to go off-grid with solar and battery systems. Now that attacks have been shown to be quiet feasible, they could be coming to every polluting plant, everywhere.

Re: The question at hand:

In the old days, I.e. Before 1994 when most of the US deregulated, a utility company could gold plate their EMS SCADA and pass all the costs on to us residential consumers in the name of reliability services. Once they had to compete, you start seeing cost saving measures like VPN arrive, and yes, there was a time when one would say Why Is this on the Internet?!? The 2001 terrrorist attack led to CEII rules, but people were getting complacent by 2007. The DOE ran a project called Aurora that scared the crap out of utility companies, partly so they could get the industry to adopt hardening standards and government oversight. Today, there is a mix of access technologies, whitelisted firewalls with multi factor auth, but also an awareness of attack vectors through phishing and social engineering. Why crack a system when an employee could carry the payload into the complex?

Re:The question at hand:

[AHuxley]

Back in the day sites had a fence, some guard on duty and workers knew to look out for anyone who was wondering around.
Todays networked engineers replaced the union staff.
Networks span services that should never have been opened to the outside "internet" just to save costs, for investment and free trade in upgrades or so shareholders could feel good.

Re:The question at hand:

[SuricouRaven]

The Pi issue wasn't about poor defaults: It was about the designers making the assumption, which turned out to be wrong, that every user would know the importance of changing the password before putting their device on the internet. It turns out that even for the more technically-minded people who would usually buy a pi, a lot of them are completely ignorant of the most basic of security practices.

Re:The question at hand:

[chicksdaddy]

Interesting. Which trade mags are worth a look/read? Interested to see if this (now historical) debate play out publicly in any way.

It was no hackers

[nospam007]

It was that maintenance guy from British Airways.