At midnight, a week before last Christmas, hackers struck an electric transmission station north of the city of Kiev, blacking out a portion of the Ukrainian capital equivalent to a fifth of its total power capacity. The outage lasted about an hour---hardly a catastrophe. But now cybersecurity researchers have found disturbing evidence that the blackout may have only been a dry run. The hackers appear to have been testing the most evolved specimen of grid-sabotaging malware ever observed in the wild.

Cybersecurity firms ESET and Dragos Inc. plan today to release detailed analyses of a piece of malware used to attack the Ukrainian electric utility Ukrenergo seven months ago, what they say represents a dangerous advancement in critical infrastructure hacking. The researchers describe that malware, which they’ve alternately named “Industroyer” or “Crash Override,” as only the second-ever known case of malicious code purpose-built to disrupt physical systems. The first, Stuxnet, was used by the US and Israel to destroy centrifuges in an Iranian nuclear enrichment facility in 2009.

The researchers say this new malware can automate mass power outages, like the one in Ukraine’s capital, and includes swappable, plug-in components that could allow it to be adapted to different electric utilities, easily reused, or even launched simultaneously across multiple targets. They argue that those features suggest Crash Override could inflict outages far more widespread and longer lasting than the Kiev blackout.

“The potential impact here is huge,” says ESET security researcher Robert Lipovsky. “If this is not a wakeup call, I don’t know what could be.”

The adaptability of the malware means that the tool poses a threat not just to the critical infrastructure of Ukraine, researchers say, but to other power grids around the world, including America's. “This is extremely alarming for the fact that nothing about it is unique to Ukraine,” says Robert M. Lee, the founder of the security firm Dragos and a former intelligence analyst focused on critical infrastructure security for a three-letter agency he declines to name. “They’ve built a platform to be able to do future attacks.”

Blackout

Last December's outage was the second time in as many years that hackers who are widely believed—but not proven—to be Russian have taken down elements of Ukraine's power grid. Together, the two attacks comprise the only confirmed cases of hacker-caused blackouts in history. But while the first of those attacks has received more public attention than the one that followed, the new findings about the malware used in that latter attack show it was far more than a mere rerun.

'If this is not a wakeup call, I don’t know what could be.' – Robert Lipovsky, ESET

Instead of gaining access to the Ukrainian utilities’ networks and manually switching off power to electrical substations, as hackers did in 2015, the 2016 attack was fully automated, the ESET and Dragos researchers say. It was programmed to include the ability to “speak” directly to grid equipment, sending commands in the obscure protocols those controls use to switch the flow of power on and off. That means Crash Override could perform blackout attacks more quickly, with far less preparation, and with far fewer humans managing it, says Dragos’ Rob Lee.

“It’s far more scalable,” Lee says. He contrasts the Crash Override operation to the 2015 Ukraine attack, which he estimates required more than 20 people to attack three regional energy companies. “Now those 20 people could target ten or fifteen sites or even more, depending on time.”

Like Stuxnet, attackers could program elements of Crash Override to run without any feedback from operators, even on a network that’s disconnected from the internet---what Lee describes as a "logic bomb" functionality, meaning it could be programmed to automatically detonate at a preset time. From the hacker’s point of view, he adds, “you can be confident it will cause disruption without your interaction.”

Neither of the two security companies knows how the malware initially infected Ukrenergo. (ESET, for its part, notes that targeted phishing emails enabled the necessary access for the 2015 blackout attack, and suspects the hackers may have used the same technique a year later.) But once Crash Override has infected Windows machines on a victim's network, researchers say, it automatically maps out control systems and locates target equipment. The program also records network logs that it can send back to its operators, to let them learn how those control systems function over time.