Breaking News: ESET has discovered a malware that is the biggest threat to critical infastructure since Stuxnet (the malicious worm that was responsible for causing substantial damage to Iran’s nuclear program) named Industroyer.
As its name suggests, Industroyer was designed to disrupt critical industrial processes. The original blog post can be found here and the accompanying whitepaper can be read here. IT security experts from One Identity, Nozomi Networks, FireMon and AlienVault commented below.
Andrew Clarke, EMEA Director at One Identity:
“There is no doubt that malware has progressively become more sophisticated—the latest variant to grab the headlines “Industroyer” or Crash Override as it is also known; seems to be a big leap forward. Unlike Stuxnet, it does not appear to be built for a specific attack; it is modular; automated and appears to be configurable to target different types of industrial systems – so far electrical power grids. It was likely used to close down the power grid in parts of Kiev, Ukraine in December 2016. In order to launch an attack however, the malware does need to scan the target network; and it is the scanning – seen as unusual network traffic – that can alert administrators to its presence.
The big question, is how does the malware get onto the network in the first place. It is likely, that it is taking advantage of vulnerabilities that have existed for some time and as typical in operational industrial systems since it provides a specific function it doesn’t need to be modified – apart from the fact that those vulnerabilities are like the unlocked door. Attention to those systems; and specifically looking at what external access is possible and then closing down that access or at least ensuring the access is only permitted for authorised and authenticated personnel/systems. Often there are hardcoded passwords in complex systems which are needed for fast interaction; and using tools that control application to application privileged password usage these can be replaced by programmatic calls that access a privileged password safe. There is no doubt that in our modern interconnected world – the traditional control systems that our society has relied on for so long is in much need a of cybersecurity upgrade!”
Andrea Carcano, Co- Founder and Chief Product Officer at Nozomi Networks:
“After years of working closely with global power generators, we have seen that network communications across grids are usually very stable and that once baselined, it’s possible to detect anomalies. Unusual messages using regular power system communication protocols can be identified and flagged, and action can be taken on them before an outage occurs. The in-depth and high-speed analysis required to do this, which involves machine learning and artificial intelligence, is described in the Nozomi White Paper “Improving ICS Cybersecurity for Substations and Power Grids.” Link can be found here: http://info.nozominetworks.com/wp-improving-ics-cybersecurity-for-substations-lp
Andrea says, “The implications of the Crash Override or Industroyer malware are significant. Unlike Stuxnet, which was designed to attack a particular uranium enrichment plant, this malware is broad-based and could affect power grids in many countries. We recommend that electric utilities monitor and improve their cyber resiliency programs, including implement real-time ICS cybersecurity and visibility solutions.”
Paul Calatayud, Chief Technology Officer at FireMon:
“The key characteristic of the Industroyer malware is that makes it difficult to detect or protect against is its use of standard ICS protocols. This means there is no exploit or abnormal behaviour to focus on that would indicate an attack or compromise. It is similar to DDoS attacks which use standard web protocols to communicate with web commerce servers.”
“The best way to protect these systems would be to deploy network segmentation to limit access to the ICS assets. The malware needs to be installed usually by a remote attack from outside the organisation. Limiting or preventing access would stop the ability of this attack to communicate with these systems. Furthermore, deploying network security policing management technologies would allow centralised monitoring of segmentation policies to ensure this defence strategy was deployed throughout the grid network.”
Chris Doman, Security Researcher at AlienVault:
“The previous 2015 attacked were widely seen as connected to a reportedly Russian group known as Sandworm. Those attacks were aided by malware but involved the attackers manually switching circuit breakers over VPN connections.”
“Todays report of later attacks in 2016 appear to have been more automated. I’ve seen reports these attacks were performed by the same attackers as in 2015, though haven’t analysed it myself.”