Workspace

Dangerous ‘Industroyer’ Malware Targets Industrial Control Systems

Sam Pudwell joined Silicon UK as a reporter in December 2016. As well as being the resident Cloud aficionado, he covers areas such as cyber security, government IT and sports technology, with the aim of going to as many events as possible.

Newly-discovered malware exploits security failings in industrial protocols

ESET has discovered a new malware variant that it describes as being “the biggest threat to critical infastructure since Stuxnet”, which is targeting insecure power grids and industrial control systems.

The malware is believed to have already been used in an attack in Kiev, Ukraine at the end of last year which resulted in large parts of the city being left without power.

Ominously dubbed ‘Industroyer’, it is capable of doing significant damage to electric power systems as it can directly control electricity substation switches and circuit breakers.

Power grid

Industrial targets

Control is achieved by exploiting industrial communication protocols used worldwide in power supply infrastructure, transportation control systems, and other critical infrastructure systems such as water and gas.

“These switches and circuit breakers are digital equivalents of analogue switches; technically they can be engineered to perform various functions,” explains ESET security researcher Anton Cherepanov.

“Thus, the potential impact may range from simply turning off power distribution, cascading failures and more serious damage to equipment. The severity may also vary from one substation to another, as well. Needless to say, disruption of such systems can directly or indirectly affect the functioning of vital services.”

The real worry with Industroyer is that the protocols it exploits were not designed with security in mind, meaning all the attackers needed to do was teach the malware to ‘speak’ the protocols without having to actually look for vulnerabilities.

It is also unique for industrial infrastructure-focused malware as it uses four payload components which work in stages to gain control of the system, as well as featuring an extra backdoor to communicate with the C&C server in case the primary backdoor is found and/or disabled.

“Thanks to its ability to persist in the system and provide valuable information for tuning-up the highly configurable payloads, attackers could adapt the malware to any environment, which makes it extremely dangerous,” Cherepanov concludes.

“Regardless of whether or not the recent attack on the Ukrainian power grid was a test, it should serve as a wake-up call for those responsible for security of critical systems around the world.”

Are you a security pro? Try our quiz!