ICS-CERT analyzing grid-crippling malware
ICS-CERT is teasing out signatures of a new family of malware to help identify code that targets critical infrastructure.
A federal team is analyzing the malware that recently crippled Ukraine’s power grid and has developed a way to detect it in other systems.
In a July 25 alert notice, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) said it was analyzing a fourth family of malware that has been shown to target industrial controls.
Crash Override or Industroyer joins other infamous malware -- including Stuxnet, Havex and BlackEnergy 2 -- on the list of potent cyberthreats to industrial controls, according to ICS-CERT.
The Department of Homeland Security has been watching research develop on Crash Override. In June, the agency's National Cybersecurity and Communications Integration Center (NCCIC) and US-CERT said they were aware of work by Slovakia-based security company ESET and the U.S. industrial cybersecurity firm Dragos to analyze the malware responsible for the 2016 cyberattack on Ukraine’s electrical grid. That attack shut down power to the Ukrainian capital of Kiev for an hour.
In June, the two companies released some of the details of their analysis, which said the malware could automate the takedown of power grids.
The attack was the second on Ukraine's electrical infrastructure. The first occurred in 2015, when BlackEnergy malware helped bring down the power grid, affecting a quarter of a million people in the country.
According to the new ICS-CERT alert, Crash Override uses a modular design to deliver payloads that target industrial control systems and is capable of "directly controlling switches and circuit breakers." Additional modules include a data-wiping component and one capable of causing a denial of service to Siemens SIPROTEC devices.
The alert states that NCCIC and ICS-CERT are analyzing samples of the Crash Override malware family, including an additional component for credential harvesting.
As part of its analysis, ICS-CERT has developed a YARA signature that matches patterns in malware to help detect components and potential variants of the malicious files that ICS-CERT has ferreted out of the malware's code.