SECURITY RESEARCHERS have uncovered Industroyer and have labelled it as the biggest threat to critical infrastructure since Stuxnet.
Stuxnet was the malicious warm responsible for causing substantial damage to Iran’s nuclear programme more than seven years ago. This new piece of malware, analysed by researchers at security company ESET, is capable of performing an attack like that in 2016 which deprived part of Ukraine’s capital, Kiev, of power for an hour after an attack on the country’s power grid.
However, ESET said that whether it was the exact same malware is yet to be confirmed, but it said that the threat was still capable of doing significant harm to electric power systems and could even be refitted to target other types of critical infrastructure, which could cause havoc across the world.
In a blog post, ESET’s Anton Cherepanov explained that Industroyer uses industrial communication protocols such as those found in worldwide power supply infrastructure, transportation control systems and other critical infrastructure systems to control electricity substation switches and circuit breakers directly.
He explained that these switches and circuit breakers were digital equivalents of analogue switches meaning they can be engineered to perform various functions ranging from turning off power distribution to cascading failures and damaging equipment.
“Industroyer’s dangerousness lies in the fact that it uses protocols in the way they were designed to be used,” Cherepanov said.
“The problem is that these protocols were designed decades ago, and back then industrial systems were meant to be isolated from the outside world. Thus, their communication protocols were not designed with security in mind. That means that the attackers didn’t need to be looking for protocol vulnerabilities; all they needed was to teach the malware ‘to speak’ those protocols,” he added.
Industroyer’s core component is a backdoor used by attackers to manage the attack. It installs and controls the other components and connects to a remote server to receive commands and to report to the attackers.
According to ESET, what sets Industroyer apart from other malware targeting infrastructure is the use of four payload components that target particular communication protocols. It said that this showed that the author had a deep knowledge and understanding of industrial control systems.
The malware is also equipped with features to enable it to remain under the rader, in a bid to ensure the malware’s persistence and to wipe all traces of itself after it’s completed its job.
For example, the communication with the C&C servers hidden in Tor can be limited to non-working hours, and it employs an additional backdoor which looks like a Notepad application, that is designed to regain access to the targeted network in case the main backdoor is detected and/or disabled.
Industroyer is a highly customisable malware. It can be used to target specific hardware – analysis showed it had been used against industrial power control products by ABB, for example, while its DoS component works specifically against Siemens SIPROTECT devices.
Cherepanov concluded that while it was difficult to attribute attacks to malware without performing an on-site incident response, it was “highly probable” that Industroyer was used in the December 2016 attack on the Ukrainian power grid.