CRASHOVERRIDE: Malware Framework Designed to Disrupt Electric Grids

The cybersecurity firm Dragos Inc., which specializes in industrial control system (ICS) networks, released a report detailing the first ever malware framework developed to specifically target electric grids, dubbed “CRASHOVERRIDE." Dragos was notified of the malware on June 8, 2017 by the Slovakian cybersecurity firm ESET, who calls the malware "Industroyer" and published a report of their own on the WeLiveSecurity blog. Dragos and ESET confirmed that the malware was used in the December 17, 2016 cyberattack that de-energized a Ukrainian transmission station outside of Kiev, causing power outages affecting an unknown number of customers for approximately one hour. Unlike previous ICS malware campaigns that were intended for reconnaissance and espionage operations, such as BlackEnergy 2 and Havex, CRASHOVERRIDE is solely designed to conduct disruptive attacks intended to cause power outages. The Dragos report states that CRASHOVERRIDE can be repurposed to effectively target infrastructure in Europe, the Middle East, Asia, and, with some tailoring, the North American grid. Though it was developed for targeting electric grids, with additional modules, it could be used against other industries. The NJCCIC recommends all critical infrastructure owners and operators review the Dragos report in full, scan networks using the IOCs provided to identify any potential infections, and take proactive measures, such as those provided in the NCCIC/US-CERT Alert (TA17-163A), to implement cybersecurity best practices and improve the overall defensive posture of your networks. Dragos published a Github repository containing the CRASHOVERRIDE IOCs, available here.