On Monday, a report analyzing the malware likely used to perform the December 2016 cyber attack against a Ukrainian power operator was released.
While it is public knowledge that the outage on December 19, 2016 was the result of a cyber attack, the “smoking gun” had yet to be discovered and publicly disclosed. This malware, named “CrashOverride” due to the name of the main function it used to begin execution, has also been dubbed by other firms as “Industroyer”, as it is clearly a cyber weapon used to disrupt industrial process and potentially create havoc in the physical world.
SecurityMatters’ customers sought assistance in the aftermath of the December 2016 attack, as well as after this report was released, in order to assess their capability level against this specific threat. This article provides a quick assessment of the malware and guidance for detecting its various stages.
What the Malware Does
The malware has been built as a modular framework that can adjust to different target infrastructures. The authors have created several attack modules for various protocols that are typically found in electric power grids (such as IEC 101 and 104, IEC 61850, OPC) but are also common to gas and oil pipeline organizations (except for IEC 61850).
It is important to note that, except for one module exploiting a known vulnerability (CVE-2015-5374) to create a denial of service, the disruption is achieved by executing regular commands on ICS field devices (e.g. open/close breakers).
The various modules use information found on the infected machine, such as the SCADA master, to improve the likelihood of disrupting the underlying industrial process. For instance, the malware looks for specific configuration files used for instrumenting RTUs and IEDs to learn about actual memory addresses to target.
The malware contains additional modules that do not aim to achieve disruption but demonstrate the sophistication of this threat, such as:
- Remote Control: The malware attempts to connect to the Internet and contact a Command & Control (C&C) server, most likely to receive additional commands or report gathered information.
- Backdoor: The malware installs itself as a system service to persist across reboots.
- Wiper: The malware will delete relevant files, including configuration files for RTUs and IEDs, as in the case of the attack to the Ukranian power grid.
- OPC Scanner: Like Havex/Dragonfly, the malware will scan the network using OPC to have better visibility of the various assets.
What the Malware Does Not DO
At this stage, with few samples available for analysis, no large-scale propagation technique has been found, meaning the malware does not seem to attempt to replicate itself in the network.
Moreover, the malware does not seem to exploit any known or unknown (0-day) vulnerability in order to infect the target machine. As of now, it is not publicly known how the malware was actually launched on the infected machine initially.
Last but not least, no DNP3 attack module has been found so far. The DNP3 protocol is equivalent to the IEC 101/104 protocol family and is typically found in North America and some Asian countries. However, it would be rather simple for skilled attackers to expand the current code base and develop such a module.
How to Detect this Threat
As suggested by US CERT in their alert, the use of behavioral analysis techniques is crucial in an attempt to identify precursor and attack activity, such as:
- Connection attempts to the Internet to reach the C&C server and subsequent communications
- OPC scanning
While the actual attack might look legitimate when looking at the single commands being issued, the overall sequence is anomalous and never used during daily operations.
How Can SilentDefense Help?
SilentDefense is a passive network monitoring and situational awareness platform. It features advanced capabilities to automatically create an inventory of active network assets and flows, detect exploitation attempts and cyber attacks and identify existing and emerging threats in the network with its behavioral analysis engines.
In the specific case of CrashOverride, SilentDefense can detect several malicious activities and speed up incident response. Here is a simple mapping between SilentDefense’s features and how it helps to protect your network from CrashOverride.
How It Helps with CrashOverride
– Features a specific set of controls to detect anomalous sequences of open/close commands over the protocols used by the malware.
The malware executes anomalous sequences of legitimate commands to open/close switch breakers or keep switch breakers open.
– Features a specific Industrial Threat Library check to detect communications between the industrial network and public IP addresses, such as C&C servers.
– The malware attempts to connect to the Internet and contact a C&C server, most likely to receive additional commands or report gathered information. Before doing that, it attempts to connect to an internal proxy server on TCP port 3128.
Detects previously unseen communications thanks to its automated behavioral analysis engines
The malware might leverage OPC to scan for assets within the industrial network.
This malware was clearly created by sophisticated adversaries, and the cyber attack that took place in December 2016 felt like a “proof of concept” for a larger attack/operation that has yet to take place. Currently, there is no proof that this malware was used in other instances.
The now publicly available malicious code could be repacked or modified by different actors and used against other organizations. However, as the malware does not seem to contain any exploitation of previously known or unknown vulnerabilities in order to propagate, attackers will need to find a way into an organization’s infrastructure to deploy and run the malicious code.
A successful breach was achieved in both instances in Ukraine, and therefore, asset owners should not underestimate the risk of being attacked. The use of behavioral analysis techniques and network monitoring solutions can help detect early stages of the attack.