Dragos Inc. this week issued a report titled Crashoverride: Analyzing the Malware that Attacks Power Grids. In a blog post, chief executive Robert M. Lee describes Crashoverride as “…a malware framework…” that incorporates “…the capability used in the cyberattack on the Ukraine electric grid in 2016.” He identifies the group behind the attack as “Electrum” and expresses confidence that the group has ties to the Sandworm team, which targeted infrastructure in the U.S. and Europe in 2014 and Ukrainian electric utilities in 2015.
In The Wall Street Journal, Robert McMillan writes, “U.S. officials have expressed concern about cyberattacks on the industrial-control systems that run power plants and factory systems. Software specifically designed to infect these systems is relatively rare, however—Crashoverride is only the fourth example, according to Dragos.” McMillan quotes Lee as saying the malware isn’t designed to work with U.S. systems but could be modified to do so.
In his blog pose, Lee writes that Dragos has previously issued an intelligence report to its customers. The report issued this week omits some technical and sensitive details included in the earlier intelligence report, but, Lee says, “…contains everything that defenders need to analyze the threat, defend their systems, and understand the potential impact.” Further, he says, the report tries to illuminate the threat scenarios while reducing hype and confusion.
Lee says Crashoverride could result in outages lasting hours or days (as with a winter storm), but not weeks or months. He credits the Slovakian antivirus firm ESET for its malware analysis.
The Crashoverride malware, Lee writes, “is a framework that has modules specific to ICS protocol stacks…” such as those related to the IEC 60870 standard for telecontrol of SCADA systems in power-system automation applications and the IEC 61850 reference architecture for electric power systems.
He explains, “The modules in Crashoverride are leveraged to open circuit breakers on RTUs and force them into an infinite loop keeping the circuit breakers open even if grid operators attempt to shut them.” He says Crashoverride may not have used all of its functionality in the 2016 attack and may have been a proof of concept rather than a full demonstration of the malware’s capability.
Dragos offers analytics to detect the malware such as Crashoverride. Lee notes that Dragos and ESET will discuss the malware in a joint talk at the BlackHat conference July 22-27 in Las Vegas.
You can download the full Dragos report at Lee’s blog post.