Researchers have discovered a potent malware that led to the Ukranian power crisis in December 2016 and have warned that similar malware could be used in the future.
The malware or modified copies of it can be used to cause a power outage or attack other critical infrastructure in Europe and the United States.
The malware was identified and thoroughly inspected by ESET and Dragos Inc, the former being an anti-virus software firm and the latter an American infrastructure security firm. Both firms have confirmed that Industroyer, the malware in question, was behind a power outage in Ukraine last year that caused an hour-long blackout in Kiev.
Researchers have warned that the malware ‘is capable of doing significant harm to electric power systems and could also be refitted to target other types of critical infrastructure.’
In 2015, the Ukrainian power grid was targeted by another cyber-attack that employed a malware named BlackEnergy. The cyber-attack took control of remote access software to cut off power to as many as 250,000 households across several regions.
Protocols used in power infrastructure were designed and developed decades ago when the industry wasn’t worried about cyber-security, said the researchers. As a result, cyber-criminals looking to destroy critical power infrastructure only need to design malware which conforms to existing protocols and can engineer remote access software to function the way the hackers want.
“The potential impact may range from simply turning off power distribution, cascading failures and more serious damage to equipment. The severity may also vary from one substation to another, as well,” noted Anton Cherapanov, a security researcher at ESET.
The reason why the malware is so potentially destructive is that the industrial communication protocols used in Ukraine are also used in many other countries across the world. These protocols are used by governments to regulate not only power distribution but water and gas distributions as well.
Even though it is being used to attack unsecured and decades-old systems, Industroyer malware is as good as any other modern malware. Not only can it stay hidden during operations, but also leaves no trace after operations are completed. It also makes use of payload components to gain direct control of switches and circuit breakers at electricity distribution substations.
“Thanks to its ability to persist in the system and provide valuable information for tuning-up the highly configurable payloads, attackers could adapt the malware to any environment, which makes it extremely dangerous. Regardless of whether or not the recent attack on the Ukrainian power grid was a test, it should serve as a wake-up call for those responsible for security of critical systems around the world,” Cherapanov concluded.
Two years ago, James Arbuthnot, then a member of the UK Parliament’s Defense Select Committee, said that the country’s National Grid faced cyber-attacks on a daily basis and that threats to infrastructure were at an all time high.
“There are, at National Grid, people of very high quality who recognize the risks that these attacks pose, and who are fighting them off, but we can’t expect them to win forever,” he said.
Charlie Edwards, national security and resilience director at the Royal United Services Institute, also said that energy firms in the country were facing an “ongoing, constant, relentless war” and that cyber-attacks were taking up much of the GCHQ’s time.