CRASHOVERRIDE

CRASHOVERRIDE, also known as “Industroyer,” is only the fourth-ever known malware developed to target ICS components and the first known to specifically target the electric grid. Once it infects Windows machines, it automatically maps out control systems, records network logs to send to its operators, and locates targeted equipment. It can adapt to many protocols and download new modules once the malware connects to the internet. It can also destroy any files on the system in order to cover its tracks after the attack is complete.

It is a modular framework with an initial backdoor module, a launcher module, and several additional payload modules.

The backdoor provides access to the infected system and can initiate the following commands:

  • Create a new process as logged-in user
  • Create a new process as specified user
  • Copy a file
  • Write a file
  • Execute a command as logged-in user
  • Execute a command as specified user
  • Kill the backdoor
  • Stop a service
  • Start a service
  • Stop a service
  • Alter an existing service

The loader module loads the payload modules in order to manipulate the ICS and cause destruction using the wiper function. The wiper can initiate the following functions:

  • Clear all registry keys associated with system services
  • Overwrite all ICS configuration files across the hard drives and all mapped network drives
  • Overwrite generic Windows files
  • Render the system unusable

Additional modules include: IEC 104, IEC 101, IEC 61850, OPC DA, and SIPROTEC DoS.

The Slovakian cybersecurity firm ESET and the cybersecurity firm Dragos Inc., which specializes in ICS networks, confirmed that the malware was used in a December 17, 2016 cyberattack that de-energized a Ukrainian transmission station outside of Kiev, cutting off about a fifth of the station’s power capacity, causing power outages affecting an unknown number of customers for approximately one hour. Unlike previous ICS malware campaigns that were intended for reconnaissance and espionage operations, such as BlackEnergy 2 and Havex, CRASHOVERRIDE is solely designed to conduct disruptive attacks intended to cause power outages. The Dragos report states that CRASHOVERRIDE has capabilities far above what was used in the Ukrainian incident and it can be repurposed to effectively target infrastructure in Europe, the Middle East, Asia, and, with some tailoring, the North American grid. Though it was developed for targeting electric grids, with additional modules it could be used against other industries. The malware has the capability to de-energize a substation, force an islanding event, execute amplification attacks, create a Denial of Visibility condition, and hamper protective relays.

It is widely believed that the Sandworm Team, attributed by some to nation-state Russian hackers, are responsible for the attack on the Ukrainian transmission station.

Reporting

  • June 2017: 'Crash Override Malware' the Tool that Took Down a Power Grid. (WIRED)
  • June 2017: 'Crash Override Malware that Triggered Ukrainian Power Outage. (arsTechnica)

Technical Details

  • Dragos provides technical details on CrashOverride, here.
  • ESET provides technical details on Industroyer, here.