ICS-CERT analyzing grid-crippling malware
- By Mark Rockwell
- Jul 26, 2017
A federal team is analyzing the malware that recently crippled Ukraine’s power grid and has developed a way to detect it in other systems.
In a July 25 alert notice, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) said it was analyzing a fourth family of malware that has been shown to target industrial controls.
Crash Override or Industroyer joins other infamous malware -- including Stuxnet, Havex and BlackEnergy 2 -- on the list of potent cyberthreats to industrial controls, according to ICS-CERT.
The Department of Homeland Security has been watching research develop on Crash Override. In June, the agency's National Cybersecurity and Communications Integration Center (NCCIC) and US-CERT said they were aware of work by Slovakia-based security company ESET and the U.S. industrial cybersecurity firm Dragos to analyze the malware responsible for the 2016 cyberattack on Ukraine’s electrical grid. That attack shut down power to the Ukrainian capital of Kiev for an hour.
In June, the two companies released some of the details of their analysis, which said the malware could automate the takedown of power grids.
The attack was the second on Ukraine's electrical infrastructure. The first occurred in 2015, when BlackEnergy malware helped bring down the power grid, affecting a quarter of a million people in the country.
According to the new ICS-CERT alert, Crash Override uses a modular design to deliver payloads that target industrial control systems and is capable of "directly controlling switches and circuit breakers." Additional modules include a data-wiping component and one capable of causing a denial of service to Siemens SIPROTEC devices.
The alert states that NCCIC and ICS-CERT are analyzing samples of the Crash Override malware family, including an additional component for credential harvesting.
As part of its analysis, ICS-CERT has developed a YARA signature that matches patterns in malware to help detect components and potential variants of the malicious files that ICS-CERT has ferreted out of the malware's code.
Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at email@example.com or follow him on Twitter at @MRockwell4.