Industroyer/Crash Override is One of the Most Sophisticated ICS Malware Families Around
In December 2016, Ukraine's power grid network was hit by a cyberattack for the second time. Quite a few people in the capital Kiev were left with no electricity in the dead of the bitter Ukrainian winter, and although the outage was shorter compared to what happened a year earlier, the attack showed that determined hackers were not done torturing innocent citizens. It quickly became apparent that the malware used during the second attack wasn't the same as the one from 2015. There's still no official information on what it is that caused the 2016 outage, but researchers think that they may have found it.
ESET stumbled upon a few samples of a rather complex strain of malware which, they think, may be responsible for the blackout. They shared the samples with Dragos, a company that specializes in Industrial Control System (ICS) security. Dragos' experts are convinced that this is definitely the case.
ESET and Dragos picked different names for the malware: Industroyer and Crashoverride, respectively. Confusing naming conventions aside, the two companies do agree on one thing – what ESET found is a seriously powerful piece of kit developed by experienced threat actors.
It consists of several modules. Since the infection vector remains unknown for now, the experts could do little more than tell us what Industroyer/Crashoverride does once it finds itself on a targeted network. Its first task is to set up its main backdoor.
One of the more interesting features of this backdoor is its ability to talk to its Tor-hosted Command and Control (C&C) server only outside working hours which is supposed to make detection even harder. With the backdoor installed, Industroyer/Crashoverride sends some information to the C&C, including the hardware profile GUID of the host machine, the malware's version, etc. Next, it starts receiving commands from the server.
The backdoor can, among other things, copy, download, and execute files, terminate and launch processes and services, and register itself as a service. The final function is crucial for the next step. Registering itself as a service means that Industroyer/Crashoverride's main backdoor runs with elevated privileges. Thanks to these privileges, it can replace notepad.exe with a Trojanized version of Windows' native app. In reality, the fake Notepad is an additional backdoor which uses a different C&C and has pretty much the same functionality as the main one. Its sole purpose is to act as a backup in case the main backdoor gets discovered and deactivated. The next stage involves the launcher, the wiper, and, of course, the payloads.
The launcher creates two threads. The first one is responsible for loading the payloads into the memory while the second one waits for one or two hours before launching the wiper component. The wiper is similar to KillDisk – the data-deleting malware that was found during the investigation of the 2015 attack.
First, it modifies all the registry keys in HKLM\SYSTEM\CurrentControlSet\Services which makes the system unbootable. Then, it enumerates the files on all the volumes connected to the computer, skipping only the ones in the Windows directory. Using a list of extensions, it picks the files that are about to be disrupted and overwrites a portion of them with garbage data. The file types include things you use in your normal day-to-day work like executables, archives, and backups as well as files that are crucial for the correct functionality of specialized software employed by electrical stations and substations. Finally, the wiper terminates all the processes except its own which crashes the system.
As we mentioned already, however, the wiper is triggered after the payloads have been loaded. There are four payloads: 101.dll, 104.dll, 61850.dll, and OPC.exe. The names aren't random. 101.dll is named after IEC 101, 104.dll is named after IEC 104, 61850.dll is named after IEC 61850, and OPC.exe is named after OPC. These are all communication standards and protocols used by industrial control systems in many parts of the world. The experts noted that Industroyer/Crashoverride's authors knew very well how these protocols work, and the really scary bit is, they didn't exploit any zero-day vulnerabilities.
The malware used the protocols in pretty much the same way a normal network endpoint would and triggered absolutely no alarm bells. The protocols themselves were designed decades ago when elements of a country's crucial infrastructure didn't need to be connected to the Internet. The fact that security wasn't such a big issue back then is becoming painfully evident now.
Whether or not Industroyer/Crashoverride can be adapted to work with other protocols and possibly affect other industries is open for debate. There are a few things that made researchers believe that the attack on Kiev in December 2016 was nothing more than a test, though.
There is, for example, a custom port scanner which can map the network and possibly infect other targets of interest, but the researchers noted that Industroyer/Crashoverride didn't act as a worm when they examined it which suggests that the scanner was never used. In addition to this, according to ESET, there was another tool which exploited the CVE-2015-5374 vulnerability in Siemens' SIPROTEC devices. The Slovakian AV company said that the tool was never used while Dragos found no traces of it.
The two reports on Industroyer/Crashoverride are apparently enough for a lot of people to conclude that the malware is coming from Russian state-sponsored threat actors. Dragos' experts do indeed think that they know who's responsible – a group of hackers called Electrum. The attribution debates might be missing the point, though. And the point is that whoever created Industroyer/Crashoverride is unlikely to stop here.