Crash Override Malware Can Automate Mass Power Outages

By on

Some cyberattacks take a device offline, some take companies offline, and some take entire power grids down. Now, the potential for the latter exists, as a new malicious software has emerged that is capable of causing power outages by ordering industrial computers to shut down electricity transmission. It’s named Crash Override, or Industroyer, and it’s actually the original malware responsible for the Ukrainian power outage back in December.

Apparently, the December attack, which took out an electric transmission station north of the city of Kiev, blacking out a portion of the Ukrainian capital for an hour, was maybe just an initial test. Now, the hackers appear to be testing the most evolved variant of the grid-infecting malware observed yet. This version is said to be capable of causing outages of up to a few days in portions of a nation’s grid.

How exactly does it work? Though the attack vector has not been confirmed, the infection is reported to start with phishing emails. The malware attacks Microsoft Windows systems only and then tries to communicate to ICS devices using four different payloads across four ICS protocols:

IEC 60870-5-101 (aka IEC 101)

IEC 60870-5-104 (aka IEC 104)

IEC 61850

OLE for Process Control Data Access (OPC DA)

Once inside, the malware installs a second backdoor, which is a trojanized version of Windows Notepad. The purpose of this second backdoor is to act as backup in the chance that the main backdoor is discovered, as well as to survive reboots.

Additionally, the threat actors used a custom DDoS tool that exploited a flaw, classified under CVE-2015-5374, to render Siemens SIPROTEC devices unresponsive. They also used a custom port scanner to map the target’s network and a custom data wiper to make the infected Windows devices crash and to complicate incident response for IT security analysts.

What next? The good news is: known malicious samples are detected with a minimum DAT of 8568 for VSE and Web Gateway or 3019 for ENS. Plus, Microsoft has patches available. Make sure to keep Windows systems and ICS devices up to date. Additionally, the malware can be detected if utility companies monitor their networks for abnormal traffic, including looking for signs that the malware is searching for the location of substations or sending messages to switch.

To stay up-to-date on this cyberthreat and others like it, make sure to follow @McAfee and @McAfee_Business.

Leave a Comment

Similar articles

At the end of last year, a survey revealed that the most popular password was still “123456,” followed by “password.” These highly hackable choices are despite years of education around the importance of password security. So, what does this say about people who pick simple passwords? Most likely, they are shooting for a password that is ...
Read Blog
If you’re a gamer, you know how important virtual currency is. It allows you to purchase new costumes and weapons to personalize your avatar. But how does one go about gaining virtual currency? Players complete in-game challenges and are rewarded with coins to spend in their virtual world. These challenges can be pretty difficult and ...
Read Blog
Cryptocurrency mining is the way transactions are verified and added to the public ledger, a database of all the transactions made around a particular piece of cryptocurrency. Cryptocurrency miners compile all of these transactions into blocks and try to solve complicated mathematical problems to compete with other miners for bitcoins. To do this, miners need ...
Read Blog