Today the Dragos, Inc. team is releasing a report titled CRASHOVERRIDE: Analyzing the Malware that Attacks Power Grids. CRASHOVERRIDE is a malware framework that has not been disclosed before today but is the capability used in the cyber-attack on the Ukraine electric grid in 2016 (not the 2015 attack). Dragos can also confirm that we are tracking the adversary group behind the attack as ELECTRUM and can assess with high confidence the group has direct ties to the Sandworm Team which targeted infrastructure companies in the United States and Europe in 2014 and Ukraine electric utilities in 2015. The report we are releasing today serves as an industry report to accompany the intelligence report our customers have received on the threat. The intelligence report goes into more technical exploration and ties together sensitive details, but the industry report contains everything that defenders need to analyze the threat, defend their systems, and understand the potential impact. The report will also educate on grid operations and try to illuminate the threat scenarios while reducing any hype and confusion on the impact.

The purpose of this blog is to introduce some high-level items for everyone to be aware of (especially those that do not have time to read the full report).

The electric grid is extremely reliable. CRASHOVERRIDE represents alarming tradecraft and the ability to disrupt operations, but the public must understand that the outages could be in hours or days not in weeks or months. The electric grid operators train regularly to restore power for similar sized events such as weather storms. The first thank you that needs publicly stated is to those men and women responsible for having put the electric grid into a defensible situation through their dedication to reliability and safety of electric power.

The Slovakian anti-virus firm ESET informed Dragos on June 8th, 2017 that they would be releasing their report on June 12th on a piece of malware they identify as “Industroyer.” The request was to validate findings to reporters they were speaking to because Dragos has subject matter experts focused on ICS security. Dragos would like to recognize the good work by ESET and thank them for providing us with digital hashes of some samples of the malware which initiated our discovery of this new capability.

Dragos was able to confirm much of ESET’s analysis and leveraged the digital hashes to find other undisclosed samples and connections to a group we are tracking internally as ELECTRUM. Because of the new functionality, connections to the threat group, numerous references to crash.dll in the malware, and our analysis that this is not industry-wide focused but specific to electric grid operations led the team named this malware CRASHOVERRIDE.

The CRASHOVERRIDE malware is a framework that has modules specific to ICS protocol stacks including IEC 101, IEC 104, IEC 61850, and OPC. It is designed to allow the inclusion of additional payloads such as DNP3 but at this time no such payloads have been confirmed. The malware also contains additional non-ICS specific modules such as a wiper to delete files and processes off of the running system for a destructive attack to operations technology gear (not physical destruction of grid equipment).

The modules in CRASHOVERRIDE are leveraged to open circuit breakers on RTUs and force them into an infinite loop keeping the circuit breakers open even if grid operators attempt to shut them. This is what causes the impact of de-energizing the substations. Grid operators could go back to manual operations to alleviate this issue.

The CRASHOVERRIDE malware appears to have not used all of its functionality and modules, and it appears the Kiev transmission substation targeted in 2016 may have been more of a proof of concept attack than a full demonstration of the capability in CRASHOVERRIDE.

CRASHOVERRIDE’s wiper searches for specific ABB files to delete off of a system, however, there are no vulnerabilities in ABB that this malware takes advantage of; it is important to understand that the malware is sophisticated in its tradecraft because it takes advantage of the knowledge of grid operations and is vendor independent. In our assessment, the vendor names associated with the Kiev site are insignificant details and vendors and configurations of the environment were not at fault.

ESET’s report cites a Siemens SIPROTEC denial of service based on a publicly disclosed 2015 vulnerability. However, we cannot confirm the existence of this module.

There are concerning scenarios in how this malware can be leveraged to disrupt grid operations that would result in hours of outages at targeted locations leading into a few days if done at multiple sites. However, it is important to know this is not a catastrophic scenario; there is no evidence the ELECTRUM actors could use CRASHOVERRIDE to do more than a few days of outages, and even to get a few days, would require the targeting of multiple sites simultaneously which is entirely possible but not trivial. CRASHOVERRIDE is an extremely concerning capability but should not be taken with any “doom and gloom” type scenarios. Everything past single substation events and small islanding events of targeting a few multiple locations is purely speculation and not worth discussion at this time.

Indicators of compromise for the CRASHOVERRIDE malware can be found in the industry report. Indicators of compromise are available, but the most important thing for security teams to watch for is malicious behaviors and set patterns associated with the ICS communications. Dragos Platform customers detect CRASHOVERRIDE and other similar tradecraft within an ICS network through a dozen new behavioral analytics and associated intelligence context. Follow on intelligence reports will keep customers up-to-date with the threat actor and capability as the situation evolves. The Dragos, Inc. team and ESET will also break down what is known to the public for the first time together at our joint talk at the BlackHat conference.