Black Hat: Human Side of Grid Attack

By Gregory Hale

There has been plenty of discussion around the attacks over the past two years on the Ukraine power grid, along with some fear mongering, but the reality is those attacks, while a big threat, are not designed to have a large-scale impact.

“The way Crashoverride is configured today, it can cause some small event, but it will not scale into a ‘We just lost New York City,’ or ‘We just lost the state of Texas,’” said Ben Miller, director of the threat operations center at Dragos, during a Wednesday presentation entitled “Industroyer/Crashoverride: Zero Things Cool about a Threat Group Targeting the Power Grid” at Black Hat USA 2017 in Las Vegas, NV. “We are not at the point of a cascading grid failure.”

While there may be a big sigh of relief, Industroyer or Crashoverride, which are the same attack, was an attack against on utilities that affected civilians.

“When we discovered the malware, we were blown away” said Robert Lipovsky, a malware researchers at ESET. “It was designed to attack a substation.” There was a timer involved that set off the attack scenario.

Lipovsky said there are now documented ICS-focused attacks:

• Stuxnet

• Havex

• BlackEnergy

• Industroyer/Crashoverride

The Industroyer/Crashoverride campaigns were against the Ukraine power grid, but different utilities. The first attack occurred in December 2015 and the next attack hit in December 2016.

Lipovsky and Anton Cherepanov, a senior malware researcher at ESET, gave a rundown on the technical details behind the attack like it had a main backdoor and a mirrored backdoor, but it also had a secondary backdoor in case the main one ended up discovered.

There were three ways it attacked the substations where it would open and close the circuit breakers, devices were usually running Windows with very common languages and protocols, and Industroyer abused the communications.

The launcher, Cherepanov said, had a 101 payload, a 104 payload, a 61850 payload and an OPC DA payload. The first three payloads were specific to the actual substation, where the OPC DA payload was a more general purpose attack.

The technical aspects are compelling, but the human side behind the attack is also interesting.

“Writing malware is one thing, but knowing the systems is another,” said Robert Lee, chief executive at Dragos. “The attack group knew the system and what to do.”

Yes, there were some vulnerabilities in a Siemens device the company patched but the utility never applied the patch. The attackers also compromised a ABB MicroSCADA device.

Well Thought Out Plan

But the reality is, Lee said, the attack was well planned and very well thought out where the attacker really didn’t need a big Zero Day to get the job done.

“It is all about code, but it was the dedication of the attackers,” Lipovsky said.

“When we look at Crashoverride, the threat is with the human team,” Lee said.

In trying to learn more about the attack group, Joe Slowik talked about the attack group Dragos named Electrum, which they linked to an attacker named Sandstorm.

This was an operation of a motivated group, Slowik said. They started compiling and attacking one day after introducing the attack to the system.

“Somebody went in with the knowledge of what happened and how things worked,” Slowik said.

Another interesting fact is with all the payloads introduced into the attack, all their functionality was not used. That could mean a couple of things: One is they made a mistake, or two, they have additional functionality and what they placed in the payloads was not needed.

The Electrum group is still active today, Lee said.

“This trend of aggression is something we are worried about,” Lee said. “Adversaries are getting smarter and systems are getting more interoperable.”