crashoverride, crash override malware

Back in Black – malware at your power company could put out the lights

Malware can do more than just hold up your device for ransom; they just might flip off the electrical power switch for an entire city. New malware is targeting the power grid infrastructure, say analysts, and this first attack is likely just a taste of what could come in the future.

The malware, called Industroyer or Crash Override, came into view in late 2016 when it knocked about 700,000 homes off the grid for few hours outside the Ukrainian city of Kiev. And that’s the good news. The bad news is that this malware knows its way around the power grid, can send out malicious commands to mission-critical equipment, and once configured and deployed, can be scaled out without direct hacker involvement.

There’s a SCADA in the lightswitch

This attack targeted several SCADA protocols used in Europe. SCADA, short for Supervisory Control and Data Acquisition, is the system of hardware and software controls behind almost every industrial process. Once activated, the Crash Override malware cycles through a range of circuit-breaker addresses, trips them, then repeats the process.

Malware targeting SCADA was not a big surprise. With origins dating back to intersection of manual controls and mainframe computers – it has been described as “insecure by design” by experts. Efforts to make SCADA more secure are something like putting a band-aid on a chest wound.

Following an even earlier hacker attack (also in Ukraine) on the power grid, the industry has taken a two-pronged approach: trying to prevent attacks and, almost more importantly, getting quickly back online afterwards.

Tidy hackers at work

Investigators aren’t exactly sure who wrote this malware – although some fingers are pointing towards Russia. What they are sure of is that these hackers did tidy work – without recycling old code or leaving digital fingerprints behind – and that more events are coming. There simply have been too many resources invested in creating this malware for this to be a one-off event. Besides, the malware has additional features and payloads not even activated this time. Investigators have raised the specter that this attack was just a POC (Proof of Concept) for getting the bugs ironed out of the malicious software before they move on to a real target.

Electrifying points to consider

Most people, myself included, are absolute strangers to the intricacies of high voltage systems. However, there are three points from this event that are applicable to everyone online.

  1. It can happen to you – The simple awareness that bad things can indeed happen is critical – for both power managers and individuals.
  2. Be prepared for bad events – Preventing or reducing the damage means having an action plan prepared. For this malware, Dragos recommended having robust backups of engineering files. For the average computer user, preparation should mean a combination of having files backed up, antivirus software in place, and software fully updated.
  3. Stay involved – “Human defenders are required” is the last line of the Dragos report. This is true for your online security. The best defense against a social engineering or customized spear-phishing attack is you.

This post is also available in: GermanFrenchItalian

As a PR Consultant and journalist, Frink has covered IT security issues for a number of security software firms, as well as provided reviews and insight on the beer and automotive industries (but usually not at the same time). Otherwise, he’s known for making a great bowl of popcorn and extraordinary messes in a kitchen.