Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Power Security Communications

Researchers Reveal Malware Designed To 'Power Down' Electric Grid (securityledger.com) 42

chicksdaddy writes: A sample of malicious software discovered at the site of a December, 2016 cyber attack on Ukraine's electrical grid is a previously unknown program that could be capable of causing physical damage to the electrical grid, according to reports by two security firms. The Security Ledger reports: "Experts at the firm ESET and Dragos Security said on Monday that the malicious software, dubbed CrashOverride (Dragos) or Industroyer (ESET) affected a 'single transmission level substation' in the Ukraine attack on December 17th, 2016 in what appears to have been a test run. Still, experts said that features in the malware show that adversaries are automating and standardizing what were previously manual attacks against critical infrastructure, while also adding features that could be used to physically disable or damage critical systems -- the first evidence of such activity since the identification of the Stuxnet malware in 2010. The Crash Override malware 'took an approach to understand and codify the knowledge of the industrial process to disrupt operations as STUXNET (sp) did,' wrote Dragos Security in a report. The malware improves on features seen in other malicious software that it knows to target industrial control systems. Specifically, the malware makes use of and manipulates industrial control system-specific communications protocols. That's similar to features in ICS malware known as Havex that targeted grid operators in Europe and the United States in 2014. The Crash Override malware also targeted the libraries and configuration files of so-called 'Human Machine Interfaces' (or HMIs) to understand the environment they have infected. It can use HMIs, which provide a graphical interface for managing industrial control system equipment, to connect spread to other Internet connected equipment and systems, Dragos said."
This discussion has been archived. No new comments can be posted.

Researchers Reveal Malware Designed To 'Power Down' Electric Grid

Comments Filter:
  • by Anonymous Coward on Monday June 12, 2017 @05:57PM (#54606051)

    No doubt Putin's team of state hackers are behind this. Part of his plan to reconquer all former soviet republics.

    Now watch the filthy little payed russian shills downmod this post down to hell, as it always happens anytime Putin or Russia are mentionned on Slashdot,

    • by Anonymous Coward

      I modded you down.

      Where's my fucking check, then, asshole?

  • Power Down (Score:3, Informative)

    by tquasar ( 1405457 ) on Monday June 12, 2017 @06:01PM (#54606071)
    I live in southern California and there are two major electric lines, one from the east and the other from the north. Damage to either would be likely and due to their remote location, there would be a six or eight hour drive from the nearest place that might have any repair ability. There's no power to pump fuel from underground tanks so how can any agency respond. Add an earthquake to the scene....
    • Re: (Score:1, Funny)

      by Anonymous Coward

      Dude, not to worry, you're in SoCal. Arnold Schwarzenegger, Sylvester Stallone, Bruce Willis, Nicholas Cage, Clint Eastwood, Jason Statham, Harrison Ford, Dwayne Johnson, Denzel Washington, and the rest all live like blocks from here. These dudes can us out of anything.

  • by SCVonSteroids ( 2816091 ) on Monday June 12, 2017 @06:02PM (#54606077)

    Maybe I'm being too critical of everything these days but I find it surprising that these sort of things are even news. Shouldn't it be expected even before its inception that people are going to try and fuck with important things if they can? ESPECIALLY when they can do it anonymously?

    I think I need to escape to the woods, and fucking soon, for a long time.

  • by Gravis Zero ( 934156 ) on Monday June 12, 2017 @06:07PM (#54606091)

    Why the fuck are these systems connected to the internet?

    • by KiloByte ( 825081 ) on Monday June 12, 2017 @06:18PM (#54606113)

      From a technical point of view, only because it was more convenient and less costly.

      But the real reason is, in almost all countries this tends to be "good enough" as no one will dare to attack you -- even if the attack itself can be easily anonymized, "cui bono" makes the attacker obvious (and a false flag operation would be pretty risky).

      Except for Ukraine -- a country with a big powerful enemy it's currently at war with, and has no friends. It's beyond obvious who wants to destroy their power grid, but at this moment Russia has no real downside in revealing their hand. Thus, this is a show of strength.

      • But the real reason is, in almost all countries this tends to be "good enough" as no one will dare to attack you -- even if the attack itself can be easily anonymized, "cui bono" makes the attacker obvious (and a false flag operation would be pretty risky).

        The problem is that this is no longer true due to the threat that climate change poses. Every person on this planet now has cause to disrupt operations at the vast majority of the world's power plants. The most disruptive they are to a polluting power plant/company, the greater the monetary incentive to use non-polluting energy sources or people to go off-grid with solar and battery systems. Now that attacks have been shown to be quiet feasible, they could be coming to every polluting plant, everywhere.

        • by Anonymous Coward

          I want some of what you're smoking.

          The vast majority of environmentalists think that they are only using green electrons to make their frappaccinos and recharge their iPhones, and it's those capitalists who are using all the dirty electrons to watch their NASCAR and run their air conditioners. It's always some else causing the problem.

      • agreed
    • by SCVonSteroids ( 2816091 ) on Monday June 12, 2017 @06:19PM (#54606121)

      My musings on it:

      At the time, the engineers were cocky and thought nobody would be able to fuck with it. Maybe at the time they were correct. Current engineers see the problem, but the solution costs too much so everyone just wishes it would go away and don't talk about it too much. I've never had much fun trying to explain something super technical (but super important) to someone who was stressed out and knew fuck all of what I was talking about (but occupied a role of higher power, yeah I'm talking about managers, OK?).

      Fortunately, we've all been able to sit back and enjoy corporations falling prey to this kind of thought process, but someday, they'll hit just the right target where it'll cause real damage. I'm not talking the kind of damage where some exec. can't refurbish his yacht, and formulates some kind of propaganda with his friends to make it so he can. I'm talking the kind of damage where civilization grinds to a halt, and mass panic ensues.

      • by dbIII ( 701233 ) on Monday June 12, 2017 @07:20PM (#54606343)

        At the time, the engineers were cocky and thought nobody would be able to fuck with it. Maybe at the time they were correct.

        You are incorrect.
        Back in the day we wanted either a total air gap (which we used to have) or dedicated secure networks like the banks were using. Management just about everywhere didn't like that and went shopping for consultants that gave them a cheap answer and they didn't care if the consultants knew what they were talking about or not. Various trade magazines at the time had a lot about the fuss and potential consequences but were ignored.
        Don't blame the engineers for a policy decision that they argued against.
        As for "Current engineers see the problem" - have you SEEN the IoT security clusterfucks in progress? Over the weekend there was an article about one here, poor defaults on the Raspberry Pi causing problems. There is definitely no reason to be smug and certainly no reason to feel superior.

        • by Anonymous Coward

          In the old days, I.e. Before 1994 when most of the US deregulated, a utility company could gold plate their EMS SCADA and pass all the costs on to us residential consumers in the name of reliability services. Once they had to compete, you start seeing cost saving measures like VPN arrive, and yes, there was a time when one would say Why Is this on the Internet?!? The 2001 terrrorist attack led to CEII rules, but people were getting complacent by 2007. The DOE ran a project called Aurora that scared the cr

        • The Pi issue wasn't about poor defaults: It was about the designers making the assumption, which turned out to be wrong, that every user would know the importance of changing the password before putting their device on the internet. It turns out that even for the more technically-minded people who would usually buy a pi, a lot of them are completely ignorant of the most basic of security practices.

        • Interesting. Which trade mags are worth a look/read? Interested to see if this (now historical) debate play out publicly in any way.
          • by dbIII ( 701233 )
            The EPRI stuff and Engineers Australia were the ones I remember but IEEE are likely to have had something.
            It was all completely obvious stuff anyway.
        • Hah it's funny cause I was thinking to actually log on last night to reply to my comment, bashing myself about how cynical that was towards a group of people who, in general, definitely don't get cocky, and for sure don't exercise their "I don't care" muscles very often either. Apologies, I've been on rant mode as of late.

          I have HEARD of the "IoT security clusterfuck in progress". I think anyone who has access to the internet would have. Knowledge of what IoT even is or not.
          My stance? I don't honestly care.

      • by AHuxley ( 892839 )
        Back in the day sites had a fence, some guard on duty and workers knew to look out for anyone who was wondering around.
        Todays networked engineers replaced the union staff.
        Networks span services that should never have been opened to the outside "internet" just to save costs, for investment and free trade in upgrades or so shareholders could feel good.
    • by Strider- ( 39683 ) on Monday June 12, 2017 @06:20PM (#54606125)

      That's the thing, they don't have to be to be a problem. That was the ingenious thing with Stuxnet... It had two parts, the worm that infected internet connected hosts, and the thumbdrive vector that allowed it to jump the air gap. It's entirely likely that it originated with infected thumb drives that were dropped in parking lots/buses/etc... frequented by the Engineers working on Iran's nuclear programme. People being people, they stuck the thumb drives into their machines, on either side of the air gap, and then the worm spread through the isolated side of the network, infecting the PLCs driving their centrifuges.

      That said, I operate the network for an organization that has their own private power system (small hydro-electric system isolated from the main grid). As much as I would like to physically isolate our power control network from our main operational network, it's unfortunately not practical. Instead the main control of the turbines, exciters, generators and such is strongly firewalled, and then the load shedding components in the rest of the campus are on an isolated VLAN. There is additional protection through strategic use of VRFs and the like. Is it perfect? no, but it's the best I can do.

      • by plover ( 150551 )

        I still wonder if the "jumping the air gap" capability of Stuxnet was added as a diversion to protect an inside agent at Natanz. It seems like a sketchy plan to rely on someone inserting an infected USB stick into the isolated network. Instead, they may have had an anti-war sympathizer on the inside who didn't want to be a part of weaponizing their uranium, and who agreed to insert the stick as long as it couldn't be traced back to them.

        Remember, the Stuxnet operation had to cross the air gap three times.

    • by AHuxley ( 892839 )
      In the USA?
      Nobody wants to pay for union workers to turn up to work and watch over equipment in their state. Just have an engineer do it from a more central location.
      The selling of the upgrade hardware for the network.
      The renting and selling for later upgrades, security and more networking.
      Teaching staff how to use the new systems.
    • Why the fuck are these systems connected to the internet?

      What systems are you talking about? In the US, systems that control grid infrastructure are not connected to the internet. Maybe there are a few countries left where that isn't true, but just because malware extsts doesn't mean the target is vulnerable.

      • In the US, systems that control grid infrastructure are not connected to the internet.

        Oh how little you know.

        • Oh how much you think you know. Anybody who can read English should read the regulations first instead of just assuming. NERC and FERC have long ago mandated isolation of such control systems, and enforcement has been thorough.

          So, how much do you really know?
    • by gtall ( 79522 )

      Because any company who runs electric infrastructure has parts of it scattered geographically about. Modern grids have at least two "networks", the power network you see as transmission lines, and the control gird used to integrate the pieces as it is impossible to run them efficiently or probably at all as autonomous pieces. SneakerNet is not an option.

      So, you can set up your own network and be on the hook for its maintenance, as it too will have maintenance issues, or you can piggyback off the internet. R

  • Right now they are focused on the next quarter. How about we say "Hey, if hackers screw you then we'll screw your life with prison terms and heavy fines".

    Somehow I think the focus will shift pretty quickly.
  • by nospam007 ( 722110 ) * on Tuesday June 13, 2017 @05:49AM (#54608251)

    It was that maintenance guy from British Airways.

  • "The CIA's Remote Devices Branch's UMBRAGE group collects and maintains a substantial library of attack techniques 'stolen' from malware produced in other states including the Russian Federation.

    With UMBRAGE and related projects the CIA cannot only increase its total number of attack types but also misdirect attribution by leaving behind the "fingerprints" of the groups that the attack techniques were stolen from." link [wikileaks.org]

I bet the human brain is a kludge. -- Marvin Minsky