Last December, government officials in Ukraine launched a probe into a suspected cyberattack on the country’s power grid that caused a blackout in the northern part of the capital city of Kiev. It was the second major incident directed at its critical infrastructure within 12 months.

While that case remains under investigation, security researchers from Eset, a Slovakia-based cybersecurity firm, this week said a malware strain known as ‘Industroyer’ was “highly likely” to have been involved. In a white paper, experts called it an “advanced and sophisticated” threat.

“Industroyer is capable of controlling electricity substation switches and circuit breakers directly,” wrote researcher Anton Cherepanov in a blog post (12 June).

The team has warned the malware could potentially be adapted to exploit protocols used in further critical systems including power, water and gas.

Eset said critical infrastructure “switches” can be tampered with to perform various functions – from turning off power to causing damage to the equipment itself. In the 2015 attack, an alleged cyberattack resulted in the lights going off for more than 220,000 people.

“Industroyer’s dangerousness lies in the fact that it uses protocols in the way they were designed,” Cherepanov wrote. “The problem is that these protocols were designed decades ago, and back then industrial systems were meant to be isolated from the outside world.

“Thus, their communication protocols were not designed with security in mind. That means that the attackers didn’t need to be looking for protocol vulnerabilities; all they needed was to teach the malware to ‘speak’ those protocols.” Unfortunately, evidence suggests the malware is fluent.

Upon analysis, Eset researchers found Industroyer has multiple components. At its core is a system backdoor used to manage an attack via a remote command and control (C&C) server, but it can also map networks and issue commands to identify specific industrial devices.

The security firm said its design shows a “deep knowledge and understanding” of control systems, often the beating heart of a country. In addition to its attack function, it can reportedly remain under the radar, ensure persistence and even “wipe all traces of itself after it has done its job.”

Cherepanov wrote: “The 2016 attack on the Ukrainian power grid attracted much less attention than the attack that occurred a year earlier. However, the tool most likely used, Win32/Industroyer, is an advanced piece of malware in the hands of a sophisticated and determined attacker.

Source: International Business Times