CRASH OVERRIDE MALWARE THAT TOOK DOWN A POWER GRID

[seemslikeadream]

WIRED

ANDY GREENBERG
SECURITY
06.12.1708:00 AM
'CRASH OVERRIDE': THE MALWARE THAT TOOK DOWN A POWER GRID

AT MIDNIGHT, A week before last Christmas, hackers struck an electric transmission station north of the city of Kiev, blacking out a portion of the Ukrainian capital equivalent to a fifth of its total power capacity. The outage lasted about an hour—hardly a catastrophe. But now cybersecurity researchers have found disturbing evidence that the blackout may have only been a dry run. The hackers appear to have been testing the most evolved specimen of grid-sabotaging malware ever observed in the wild.

Cybersecurity firms ESET and Dragos Inc. plan today to release detailed analyses of a piece of malware used to attack the Ukrainian electric utility Ukrenergo seven months ago, what they say represents a dangerous advancement in critical infrastructure hacking. The researchers describe that malware, which they’ve alternately named “Industroyer” or “Crash Override,” as only the second-ever known case of malicious code purpose-built to disrupt physical systems. The first, Stuxnet, was used by the US and Israel to destroy centrifuges in an Iranian nuclear enrichment facility in 2009.

The researchers say this new malware can automate mass power outages, like the one in Ukraine’s capital, and includes swappable, plug-in components that could allow it to be adapted to different electric utilities, easily reused, or even launched simultaneously across multiple targets. They argue that those features suggest Crash Override could inflict outages far more widespread and longer lasting than the Kiev blackout.
“The potential impact here is huge,” says ESET security researcher Robert Lipovsky. “If this is not a wakeup call, I don’t know what could be.”

The adaptability of the malware means that the tool poses a threat not just to the critical infrastructure of Ukraine, researchers say, but to other power grids around the world, including America's. “This is extremely alarming for the fact that nothing about it is unique to Ukraine,” says Robert M. Lee, the founder of the security firm Dragos and a former intelligence analyst focused on critical infrastructure security for a three-letter agency he declines to name. “They’ve built a platform to be able to do future attacks.”

Blackout

Last December's outage was the second time in as many years that hackers who are widely believed—but not proven—to be Russian have taken down elements of Ukraine's power grid. Together, the two attacks comprise the only confirmed cases of hacker-caused blackouts in history. But while the first of those attacks has received more public attention than the one that followed, the new findings about the malware used in that latter attack show it was far more than a mere rerun.

'If this is not a wakeup call, I don’t know what could be.' – Robert Lipovsky, ESET

Instead of gaining access to the Ukrainian utilities’ networks and manually switching off power to electrical substations, as hackers did in 2015, the 2016 attack was fully automated, the ESET and Dragos researchers say. It was programmed to include the ability to “speak” directly to grid equipment, sending commands in the obscure protocols those controls use to switch the flow of power on and off. That means Crash Override could perform blackout attacks more quickly, with far less preparation, and with far fewer humans managing it, says Dragos’ Rob Lee.

“It’s far more scalable,” Lee says. He contrasts the Crash Override operation to the 2015 Ukraine attack, which he estimates required more than 20 people to attack three regional energy companies. “Now those 20 people could target ten or fifteen sites or even more, depending on time.”

Like Stuxnet, attackers could program elements of Crash Override to run without any feedback from operators, even on a network that’s disconnected from the internet—what Lee describes as a "logic bomb" functionality, meaning it could be programmed to automatically detonate at a preset time. From the hacker’s point of view, he adds, “you can be confident it will cause disruption without your interaction.”

Neither of the two security companies knows how the malware initially infected Ukrenergo. (ESET, for its part, notes that targeted phishing emails enabled the necessary access for the 2015 blackout attack, and suspects the hackers may have used the same technique a year later.) But once Crash Override has infected Windows machines on a victim's network, researchers say, it automatically maps out control systems and locates target equipment. The program also records network logs that it can send back to its operators, to let them learn how those control systems function over time.

From that point, researchers say, Crash Override could launch any of four "payload" modules, each of which communicates with grid equipment via a different protocol. In its December attack on Ukrenergo, it used protocols common to Ukraine, according to Lee's analysis. But the malware's swappable component design means it could have easily adapted to protocols more commonly used elsewhere in Europe or in the United States, downloading new modules on the fly if the malware can connect to the internet.

Aside from that adaptability, the malware can also comprehensively destroy all files on systems it infects, to cover its tracks after an attack is completed.

Physical Damage?

Another disturbing but less understood feature of the program, according to ESET, suggests an extra capability that hackers could potentially use to cause physical damage to power equipment. ESET's researchers say one aspect of the malware exploits a known vulnerability in a piece of Siemens equipment known as a Siprotec digital relay. The Siprotec device gauges the charge of grid components, sends that information back to its operators, and automatically opens circuit breakers if it detects dangerous power levels. But by sending that Siemens device a carefully crafted chunk of data, the malware could disable it, leaving it offline until it's manually rebooted. (Dragos, for its part, couldn't independently confirm that the Siemens attack was included in the malware sample they analyzed. A Siemens spokesperson points to a firmware update the company released for its vulnerable Siprotec devices in July of 2015, and suggests that owners of the digital relays patch them if they haven't already.)^1^

That attack might be intended to merely cut off access to circuit breakers after the malware opens them, preventing the operators from easily turning the power back on, says Mike Assante, a power grid security expert and instructor at the SANS Institute. But Assante, who in 2007 led a team of researchers that showed how a massive diesel generator could be physically and permanently broken with only digital commands, says the Siprotec attack might also have a more destructive function. If attackers used it in combination with overloading the charge on grid components, it could prevent the kill-switch feature that keeps those components from overheating, damaging transformers or other equipment.
Assante cautions the Siprotec attack still requires further analysis to better understand it, but still sees the potential as cause enough for concern.

"This is definitely a big deal," says Assante. "If it’s possible to disable the digital relay, you risk thermal overload to lines. That can cause lines to sag or melt, and can damage transformers or equipment that's in line and energized."

ESET argues that Crash Override could go even further, causing physical destruction by carrying out a well-crafted attack on multiple points in a power grid. Taking down elements of a grid en masse could cause what they describe as a "cascading" outage, in which a power overload spills over from one region to another to another.

Uncertain Scope

Neither ESET nor Dragos was willing to say with any certainty who might have created the malware, but Russia looms as the likely suspect. For three years, a sustained series of cyberattacks has bombarded Ukraine's government agencies and private industry alike. The timing of those attacks coincides with Russia’s invasion of Ukraine’s Crimean peninsula and its eastern region, known as Donbass. Earlier this year, Ukrainian president Petro Poroshenko declared in a speech following the second blackout that the attacks were performed with the “direct or indirect involvement of secret services of Russia, which have unleashed a cyberwar against our country.” Other researchers at Honeywell and Kiev-based Information Systems Security Partners have already argued that the 2016 blackout was likely perpetrated by the same hackers as the 2015 attack, which has been widely linked to a hacker group known as Sandworm and believed to have originated in Russia. On Monday, Dragos noted that it believes with "high confidence" that the Crash Override attack was the work of Sandworm, too, but didn't offer details of exactly how it came to that conclusion.

Despite Crash Override's dangerous capabilities and suspected Russian links, US and European grid operators still shouldn't panic about automated power-killing cyberattacks, Dragos' Lee argues.
'Nothing about this attack looks like it's singular.' – Robert M. Lee, Dragos

He notes that unlike Stuxnet, the malware Dragos and ESET analyzed doesn't contain any apparent "zero-day" exploit for spreading or infiltrating new networks. While ESET warns that Crash Override could be adapted to affect other types of critical infrastructure like transportation, gas lines, or water facilities, Lee argues that would require rewriting other parts of the code beyond its modular components. And he points out that if power-grid operators closely monitor their control system networks—most around the globe likely don't, he says—they should be able to spot the malware's noisy reconnaissance scans before it launches its payloads. "It sticks out like a sore thumb," Lee says.

Still, none of that should leave US grid officials complacent. The malware that attacked Kiev's grid has turned out to be more sophisticated, adaptable, and dangerous than the cybersecurity community had imagined. And those features suggest that it's not going away. "In my analysis, nothing about this attack looks like it’s singular," Lee concludes. "The way it’s built and designed and run makes it look like it was meant to be used multiple times. And not just in Ukraine."

^1^Updated 6/13/2016 12:00 EST to include a response from Siemens.

https://www.wired.com/story/crash-override-malware/

Russia’s Power Trip

The country’s “new” weapon for disrupting electric grids should be a wake-up call.

By Fred Kaplan


Russian hackers have developed a cyberweapon that can disrupt power grids, according to a report widely publicized this week. In fact, the tool is nothing new—it has been around in various forms for a decade—but its implications are every bit as frightening as the headlines suggest.

The first test of such a weapon, it’s worth noting, was devised by the United States government. On March 4, 2007, the Department of Energy conducted an experiment—called the Aurora Generator Test—to see whether a hacker could destroy a physical object through strictly cyber means. The test was the brainchild of Michael Assante, at the time the chief security officer for American Electric Power, which delivered electricity to millions of customers throughout the South, Midwest, and mid-Atlantic.

A few years earlier, as a Navy officer, Assante had worked on government commissions studying the vulnerability of the nation’s critical infrastructure—banking and finance, transportation, telecommunications, gas and oil, water supply, and, yes, electrical power. The workings of these assets were increasingly run by automated control systems, which several commissions had warned were vulnerable to cyber attack.

When Assante joined American Electric Power and informed his new colleagues of this danger, they didn’t believe him. Yes, they said, someone could hack into a power plant or grid and cause a brief blackout, but a technician would replace the circuit breaker and the power would be restored. Assante devised a test to prove them wrong. He installed a 2.25-megawatt power generator, weighing 27 tons, inside a chamber at the Idaho National Laboratory. An IT technician wrote a piece of malware—just 21 lines of code—and typed it into a digital relay. The code opened a circuit breaker in the generator’s protection system, then closed it just before the system responded, throwing its operations out of sync. Almost instantly, the generator shook, some parts blew off, it belched out a puff of white smoke, then a huge cloud of black smoke. The machine was dead. Several officials in Washington monitored this test, and, thanks to YouTube, the rest of the world could watch it too.

This test took place shortly before Stuxnet, the joint U.S.–Israeli operation that destroyed the centrifuges in Iran’s Natanz nuclear reactor by hacking into the control system and then speeding up or slowing down the rate at which they spun. The Aurora Generator Test was what convinced several skeptical officials that a cyberattack—the simple insertion of malware—could not only manipulate a computer but destroy an object that the computer controls.

The Russian tool—known as CrashOverride, Industroyer, or Electrum—doesn’t work in precisely the same way as the malware in the Aurora Generator Test. In some applications, the Russian version sends commands that open circuit breakers when they should be closed; in others, circuits are “de-energized” through a variety of means.

Russia launched such an attack against the power grid in western Ukraine, first in 2015 and more recently this past December. The modern bit is that, in the decade since Aurora and Stuxnet, the Russians—and presumably a few other nations, including the United States—have figured out how to hack into these systems through a number of routes, in case the first one they try is blocked. The basic idea, though, is the same, and this sort of vulnerability pervades all systems that are run or monitored by automated controls—i.e., almost all the systems that make up our critical infrastructure.

One bit of good news, sort of, is that nearly every nation with advanced technology has followed the same path that we paved in embedding these controls into the foundations of our socioeconomic life. Michael Assante, who is now a director at the SANS Institute, a cybersecurity training organization, told me, “The majority of power systems rely on the same control system technologies available through global vendors.” Even older, locally built components, he says, “typically perform the same way and usually share the same vulnerabilities as the standard market-based solutions.”

In other words, whereas 20 years ago Americans were nearly the only people on Earth living in digital glass houses, now much of the world lives in them too—including Russians (and the Chinese and, as we learned with Stuxnet, Iranians). As a result, without anyone making a strategic decision about this, we have all entered into a state of “mutually assured destruction” when it comes to major cyberattacks. As with the decadeslong nuclear standoff, if Side A attacks Side B, then Side B will strike back at Side A—and therefore both sides might be deterred from attacking each other.

The Russians shut down western Ukraine’s power grid, in part, because they knew that Ukraine had no ability to strike back. That wouldn’t be the case if the Russians shut down a stretch of America’s power grid. But that isn't cause for relief. Unlike missile attacks, where the trajectory’s arc can be traced precisely, cyberattacks can be hard to pin down; it may take a while to figure out where the attack came from, and even then it’s not always clear who launched it. Before firing off a retaliatory attack, it would be good to know the proper target. Big wars have grown out of small misunderstandings. Then there’s the problem of rogue actors—terrorists, criminals, or mischief-makers—who simply want to disrupt the existing order and have a fairly good idea of how to cover their tracks.

Meanwhile, 10 years after the Aurora Generator Test (which only confirmed the reports of commissions formed 10 years before then), too few of the private companies that own and operate our critical infrastructure have taken steps to guard against these sorts of attacks. Some sectors have taken enormous steps, chief among them banks—and for good reason: Banks need your money and your trust, and they have the money to hire large teams of cybersecurity specialists. Cyberattacks are an everyday occurrence, and cybersecurity is a central piece of their business model. This is not the case with electrical utilities, whose executives see cyberattacks as a hypothetical danger. Many of them have also calculated that the cost of preventing an attack is almost as large as the cost of cleaning up after an attack—and the preventive measures might not really prevent one—so why bother to make much of an investment?

When the fear of cyberattacks first materialized, President Bill Clinton’s cybersecurity adviser tried to impose mandatory cybersecurity regulations on critical infrastructure companies. These attempts were quashed by lobbyists and by White House economic advisers. Now we are living with the consequences—and a new form of risk that too many of those in charge are ignoring at their, and our, peril.
http://www.slate.com/articles/news_and_ ... scary.html

Dark Territory: The Secret History of Cyber War

https://www.youtube.com/watch?v=PvvPmM3cHZ4