Malware Likely Used in Ukrainian Power Grid Attack

High voltage power grid under the setting sun

Experts discovered that the 2016 power grid cyberattack in Ukraine was caused by sophisticated malware that can be very dangerous for establishments and companies worldwide.

It was on December 17 last year that Ukrenergo, the power utility company in Ukraine, was subject to a power shutdown that left hundreds of thousands of people in the country’s capital without electricity for more than an hour.

Though the Kiev outage was suspected to be the handiwork of some hackers, there was no clarity on what kind of malware was employed to precipitate the calamity.

But this mystery seems to have been solved now, with reports from cybersecurity experts saying they’ve indeed been able to identify the malware.

What is causing concerns to those in authority is that the technology and tools used in this breach of cybersecurity appear to be quite sophisticated and what’s more, it can be used again to cause similar or more serious damage to any industrial setup or utility and public services networks.

Outdated Systems Most Vulnerable

Two agencies—one, a firm in Slovakia that is engaged in developing security software (called ESET) and the other, a U.S. firm named Dragos Inc.—have taken time to study the methodology used and the overall scenario to come up with their explanations.

And so far, some aspects appear to be clear.

One is that this malware will find it easy to penetrate most of the legacy networks that were built several years earlier and do not have the latest cybersecurity infrastructure in place. Such networks must have been designed when the threat perception was low and the hardware and software would not be compatible with the latest updates to enhance the intensity of firewalls.

It can also be inferred that most such utility organizations might be state-owned and won’t invest in these resources easily. They are, therefore, the most vulnerable—and the scenario is not restricted to Ukraine or some other country.

The whole of Europe, the whole of Asia and even the U.S. establishments can be made targets by these unscrupulous elements and they won’t be able to do much about it.

Four-Component Methodology Revealed

The other revelation about this malware is the modus operandi. The investigators identified four distinct tools or components that the malware attackers appear to have used in Ukraine, and may form a pattern for such attacks in future as well.

These components consist of two backdoors the hackers use to gain entry into the network. One is first deployed and the other is used as a standby to thwart any move by the network system to identify and isolate the malware.

The third component is used to wipe out or destroy the system files critical to the functioning of the utility, and the fourth takes over the command and control of the circuit breakers thereafter. Any attempt by the system to re-connect will be immediately sabotaged by the malware.

Interesting Nomenclature

The experts who studied the malware and came up with the details, along with other analysts, have been debating how this issue should be labeled. Two names have stuck: “Industroyer” and “CrashOverRide.”

Irrespective of the name, the fact remains that this kind of malware can cause severe and prolonged damage to industrial setups, and poses an inestimable and difficult ability to foresee threat.

The other factor is that the malware does not involve any direct ransom demand or a zero-day warning on attacks. According to experts, the malware can only cause the attack and leave no trace behind.

Some Similarities to Stuxnet

stuxnet as binary code

Stuxnet was the malware used to render nuclear facilities dysfunctional . So, some call this malware that attacked the Ukrainian power grid as Stuxnet II.

Stuxnet was the malware used by the U.S. to render the Iranian nuclear facilities dysfunctional through sabotaging the centrifuges. So, some call this malware that attacked the Ukrainian power grid as Stuxnet II.

Another interesting debate among the experts has centered around who could have been behind the attacks. Inevitably, the needle of suspicion turns to Russia.

The experts feel that this December 2016 malware attack was caused by a hacking group, Sandworm.

The group is supposed to be receiving official government support. Since it is Ukraine that was the victim, one can easily believe this because of the ongoing issues between the two countries.

The security experts have now disseminated their findings to most nations and also corporate organizations in the power distribution industry. They have advised them to beef up their cyber infrastructure and protect their systems from being attacked by malware.

Leave a Reply