Industroyer
Short facts:
Industroyer is a malware targeted to manipulate the physical components of industrial control networks. It was first used in 2016 and caused a widespread power outage in the Ukrainian capital Kiev.
On December 17, 2016, power outages occurred in the Ukrainian capital Kiev for several hours. The cause was the irregular shutdown of several substations of the regional energy supplier. The Slovakian IT security company ESET was subsequently commissioned to check the communication in the telecontrol and network control systems. There, ESET found various software modules that later turned out to be parts of a complex malware. The malware was named Win32 / Industroyer. In June 2017, ESET commissioned the US IT security company Dragon Inc. to verify and collate the malware. As the malware repeatedly identifies itself as CRASH in the course of functional analysis, Dragon Inc. subsequently named the malware as crashoverride.
The results of both analyzes outline a highly professional and cross-industry malware designed specifically to disrupt physical components in industrial control networks.
Special features of the malware Industroyer
Industroyer is the 4th known malware designed specifically for industrial control networks. Malwares, which were previously known for their to disrupt industrial environments were Stuxnet, Blackenergy 2 and Havex. According to Stuxnet, Industroyer is the second malware that actually causes physical disturbances in industrial processes and the first known malware with a focus on electrical distribution grids.
Behind the attack is a suspected group called ELECTRUM, which is said to have close ties to the infamous Sandworm team. The Sandworm team is blamed for high levels of cyberattacks on industry and governmental high-level targets and the widespread power outages in Ukraine in December 2015.
Industroyer is considered to be particularly potent and effective due to some peculiarities of analysts. It is speculated that the cyberattack in December 2016 should only be a field test to examine the basic operation in a real environment. Therefore, it is also assumed that more cyber attacks based on the Industroyer architecture will occur in the future, which can cause much more damage.
Special features include:
- Attack-vector and functionality of Industroyer are vendor-agnostic.
- Attackers and malware use network communication patterns for infiltration, masking them well against common IT security solutions. The industry standard protocols according to IEC 60870-5-104, ICE 60870-5-101, IEC 61850 and OLE for Process Control Data Access (OPC DA) are used for this.
- The malware is easily transferable to power grids in Europe, the Middle East and Asia.
- The malware can be applied to US electricity grids with a simple extension to the DNP3 protocol.
- The malware can easily be transferred to other industrial sectors via simple modifications.
- Industroyer can attack multiple locations simultaneously.
- Combining the functionality of the three known previous malware types, Stuxnet, Blackenergy 2, and Havex, Industroyer refines and complements the cyberattack's impact of December 2015. The latter distinguished itself by manipulating the control system to make it self-defeating put out of action.
Purpose and function of Industroyer
The malware is classified as a pure attack malware based on its communication patterns. A spying function could not be detected.
The basic function of the Industroyer malware is to directly influence virtual switches in substations and over current protection devices.
This allows Industroyer:
- switch off the power distribution completely;
- cause a cascading of the power grid and
- severely damage the hardware components of the network control and telecontrol systems.
Construction of Industroyer
The malware has been targeted for disrupting power distribution networks. In order to understand how it works, it is worth taking a quick look at the general architecture of the network control and telecontrol systems.
The energy is usually transported over power lines longer distances to substations after it's generation in the plant (long-transmission level). In substations, transformers transform the high voltage current into medium voltage or low voltage. From there, the electricity is passed on to the respective regional consumers. Municipal utilities often feed their electricity directly into the medium-voltage grid.
The substations are controlled by SCADA systems (Supervisory Control and Data Acquisition). Among other things, the remote terminal units (RTUs), which can open and close the switch-disconnectors in substations, are also controlled via this. These switch-disconnectors ensure that electricity flows into the distribution networks (closed) or that the current flow is interrupted (opened). The latter state means that consumers are not supplied with power in the area of influence of the substation (blackout).
In Europe, the Middle East and Asia, IEC 104 and IEC 101 protocols are standardly used for communication via SCADA systems. In the US, the industrial protocol DNP3 is in use. All protocols are ultimately used to control the physical components through RTUs, Programmable Logic Controllers (PLCs), and specific components. In addition, the IEC 61850 protocol is used globally to control communication between human machine interfaces (HMIs) with digital relays and other intelligent electronic devices (IEDs). Various IEDs are typically found as additional components on the switch-disconnectors.
As shown here, Industroyer resides very decidedly within the communication structures of electricity distribution networks, which are more or less identical globally.
Industroyer was designed as a modular malware. The main components are:
- Main backdoor as communication gateway to external servers (command receipt and reporting) and for controlling the other components;
- Replacement Backdoor;
- port scanner;
- denial-of-service tool;
- Launcher;
- Data Wiper;
- payload modules for the four protocol types IEC 104, IEC 101, IEC 61850 and OLE for Process Control Data Access (OPC DA).
How Industroyer works
Backdoor installation
The attackers first installed the main backdoor. This authenticated itself with a local proxy over the internal network. The basic structure for this was already laid before the installation. After authentication, the backdoor opened an HTTP channel to an external command-and-control server hidden in the TOR network. With establishment of this connection the further modules and commands were transferred. For this, the backdoor created a file in the local system, but its contents could not be reconstructed. Furthermore, the backdoor overwrote an existing service and referred to itself as a new service. As a result, the backdoor had established itself in the system and would also be loaded automatically after rebooting.
In addition, the backdoor installed a second backdoor that was disguised as a Notepad application. This replacement backdoor acted as a fallback if the main backdoor was detected and disabled by the network operator.
The backdoor also installed other specific tools, which today include a port scanner and a denial-of-service tool. The specially-designed port scanner should continue to scan the network for suitable computers and components to potentially extend the attack. The denial-of-service tool, in turn, was aimed at turning off specific devices. This was done using the CVE 2015-5374 vulnerability in Siemens SIPROTECT devices.
Finally, the backdoor installed the launcher module, which controlled the operational implementation of the malfunction.
The backdoor acted as a preparatory instance to bring all components into the right position and to ensure communication with the external servers.
Launcher
The launcher opened itself as a regular service - presumably to camouflage itself better.
This automatically loaded and executed the payloads with the modules IEC 104, IEC 101, IEC 61850 and OPC DA. The payload modules subsequently manipulated the various components in the power supply and telecontrol system, resulting in the disruption.
With a countdown of 1-2 hours, the Data Wiper was also activated to destroy all evidence after the incident and to make it difficult to restore the system.
Payload Module
Depending on the protocols used, the individual payload modules intervene in communication with relevant components in the network control and telecontrol system.
The modules IEC 101 and IEC 104 first determined the destinations (probably RTUs of the switch-disconnector) via a configuration file. In this they subsequently took over the master process and switched the components into one of four previously identified modes:
1. Sequence Mode: RTU's Information Object Address (IOA) is permanently set to open and the current flow is interrupted.
2. Range Mode: Payload examines the current state of the IOA and switches it to the opposite state (open to closed, closed to open).
3. Shift Mode: So far not clarified.
4. Persist Mode: So far not clarified.
While the IEC 104 module accessed remote-controlled components, the IEC 101 module targeted devices with serial connections.
The IEC 61850 module also identified its objectives via a configuration file. If there was no configuration file, it examined the network for potential targets. Using appropriate protocols, it communicated with the targets to find out if they were controlling the switch-disconnectors. If the request was positive, the module changed certain status parameters and created an action log. For the specific parameters is so far no information available.
Finally, the OPC DA module examined all OPC servers and related components on the network for files associated with ABB devices that contain the string "ctl.". If the request was positive, the plant status data was rewritten to double "0x01" in the files. In the control language, this means that the affected component is operating above its load limit. This means that the operator has received an incorrect status value of the component in the SCADA. This form of attack is also known as denial-of-visibility, as the operators of a plant become blind to the actual process data.
In addition to the concrete manipulation of the controls by the IEC modules, the control visualization was thus effectively manipulated.
Data Wiper
The Data Wiper should start 1-2 hours after the payload modules have been launched. Its function was the concealment of the attack and the aggravation of system recovery. For this purpose, three core steps were carried out:
1. Delete all registry keys associated with the system.
2. Overwrite all control network configuration files on all hard drives and network drives with special purpose on ABB PCM600 configuration files.
3. Overwrite all generic Windows files.
These steps made the entire system unusable.
Why did IT security technologies fail?
Currently, it is not known which security measures were active in the systems of the distribution system operator. In general, however, it can be assumed that perimeter firewalls, which were applied to the Internet at the transition between power supply and telecontrol system.
Industroyer came with two features that made it impossible for the security solution to identify the malware:
1. The malware was unknown. Thus it was not detected as a danger when entering the system.
2. The malware communicated and acted in the native language of the industry protocols.
In addition, the malware within the system could probably operate undetected because the IT security technology (firewall) only monitored the "gates" to and from the system. However, a firewall does not have any insight into the system.
Could the malware have been detected?
A solution with real-time anomaly detection based on Deep Packet Inspection technology would have detected and reported the attack at an early stage.
An anomaly detection would have already identified the main backdoor as a new network participant. Subsequently, the new communication links between the main backdoor, its newly installed components and the network components (RTUs, OPC server) have been reported as suspicious. Already in the first phase of the attack, the operator would have been informed about these suspicious activities.
Furthermore, various commands would have been noticed that are not part of the standard communication of the respective network (overwriting files or setting dynamic values). The Deep Packet Inspection technology would have provided the evidence through continuous detailed analysis of all data packets in the network. Thus the assumption of master processes or the hard overwriting of values would have noticed the system immediately.
The operators could have immediately reviewed the changes in network communication and initiated appropriate countermeasures.