Is Industroyer the biggest security threat to critical infrastructure since Stuxnet?
Industroyer malware trialed in attack on Ukrainian power grid in 2016
Researchers have uncovered new malware, called Industroyer, that they claim is the biggest threat to critical infrastructure since Stuxnet.
Stuxnet was the malicious warm responsible for causing substantial damage to Iran's nuclear programme more than seven years ago. It is believed to have been developed in the US with the specific intention of targeting Iran.
The new malware, analysed by researchers at security company ESET, is capable of performing attacks similar to the one in 2016, which took down power in the Ukrainian capital Kiev for an hour after a cyber attack on the country's power grid.
The problem is that these protocols were designed decades ago, and back then industrial systems were meant to be isolated from the outside world
However, whether it is the exact same malware that was really involved is yet to be confirmed. But ESET claimed that the malware was still capable of doing significant harm to electrical power systems, and could even be redesigned to target other types of critical infrastructure.
In a blog post, ESET's Anton Cherepanov, explained that Industroyer uses industrial communication protocols, such as those found in worldwide power supply infrastructure, transportation control systems and other critical infrastructure systems, to control electricity substation switches and circuit breakers directly.
He added that these switches and circuit breakers are the digital equivalents of analogue switches, meaning they can be engineered to perform various functions ranging from turning off power distribution to cascading failures and damaging equipment.
"Industroyer's dangerousness lies in the fact that it uses protocols in the way they were designed to be used," Cherepanov said.
"The problem is that these protocols were designed decades ago, and back then industrial systems were meant to be isolated from the outside world. Thus, their communication protocols were not designed with security in mind.
The author had a deep knowledge and understanding of industrial control systems
"That means that the attackers didn't need to be looking for protocol vulnerabilities; all they needed was to teach the malware ‘to speak' those protocols," he added.
What is Industroyer
Industroyer's core component is a backdoor used by attackers to manage the attack. It installs and controls the other components and connects to a remote server to receive commands and to report to the attackers.
According to ESET, what sets Industroyer apart from other malware targeting infrastructure is the use of four payload components that target particular communication protocols. It said that this showed that the author had a deep knowledge and understanding of industrial control systems.
It employs an additional backdoor which looks like a Notepad application, that is designed to regain access to the targeted network in case the main backdoor is detected and/or disabled
The malware is also equipped with features to enable it to remain under the rader, to ensure the malware's persistence and to wipe all traces of itself after it's completed its job.
For example, the communication with the C&C servers hidden in Tor can be limited to non-working hours, and it employs an additional backdoor which looks like a Notepad application, that is designed to regain access to the targeted network in case the main backdoor is detected and/or disabled.
Industroyer is a highly customisable malware. It can be used to target specific hardware - analysis showed it had been used against industrial power control products by ABB, for example, while its denial of service (DoS) component works specifically against Siemens SIPROTECT devices.
Cherepanov concluded that while it was difficult to attribute attacks to malware without performing an on-site incident response, it was "highly probable" that Industroyer was used in the December 2016 attack on the Ukrainian power grid.