14 DAY TRIAL // Russian malware may have been behind the Ukrainian power grid attack from 2016. Dubbed the "Industroyer," this malware was designed to target critical power supplies by attacking the communication devices used on power networks.
According to security researchers from Eset, the malware works in four modular parts. The main idea behind the Industroyer is that it needs to act as a backdoor which allows other components to install, much like other sophisticated malware. These malicious components are controlled from afar by a command server hosted on the TOR anonymity network, which makes it almost impossible to trace.
Then, the backdoor can be used by hackers to carry out a series of cascading failures, which will result in forcing the power supplies offline and even causing damage to equipment.
"Industroyer’s dangerousness lies in the fact that it uses protocols in the way they were designed to be used. The problem is that these protocols were designed decades ago, and back then industrial systems were meant to be isolated from the outside world. Thus, their communication protocols were not designed with security in mind. That means that the attackers didn’t need to be looking for protocol vulnerabilities; all they needed was to teach the malware 'to speak' those protocols," Eset researchers point out.
A dark history
Basically, power grids all over the world should be upgraded to modern security standards if we want to actually try avoiding incidents like the one in Ukraine. What's probably even worse is that it happened twice in Ukraine, both in December 2015 and December 2016.
The 2015 incident saw perpetrators infiltrate the electricity distribution networks with the BlackEnergy malware, along with other malicious components, and abuse legitimate remote access software to control operators' workstations and cut off power.
What's more worrying about all these attacks is that researchers believe it was a large-scale test, which means the attackers were trying to see if it would work and what would work before refitting the malware to target other types of critical infrastructure.
"We are beginning to see an uptick in infrastructure attacks and in the case of Industroyer, the attackers seem to have extensive knowledge about industrial control protocols. Since the industrial controls used in the Ukraine are the same in other parts of Europe, the Middle East and Asia, we could see more of these attacks in the future. And while these attackers seem to be content to disrupt the system, it’s not outside the realm of possibility that they could take things a step further and inflict damage to the systems themselves," said Terry Ray, chief product strategist at Imperva.
Tim Helming, Director at DomainTools, also feels that companies should more thoroughly apply the principle of Least Privilege to avoid attacks. "Least Privilege dictates that any entity be given the absolute least level of access required--the 'entity' being anything from a kernel module all the way up the stack to the human. The best way to mitigate the risks posed by Industroyer is to prevent its implantation on the trusted network to begin with."