On December 17th, 2016, the Ukrainian capital Kiev was hit by a blackout for about 75 minutes. Local investigators later confirmed that the energy outage was caused by a cyberattack. Shortly thereafter, ESET researchers analyzed a sophisticated new malware, which is the main suspect in this case. They have named it Industroyer – the biggest threat to Industrial Control Systems (ICS) since Stuxnet.
This dangerous malware was developed to exploit weaknesses in those systems and the communication protocols they use – systems developed decades ago with almost no consideration of security measures.
Read the interview with senior ESET malware researcher Robert Lipovsky and learn more about this cyberthreat.
What is Industroyer?
Industroyer is a malicious tool in the hands of a very dedicated, well-funded and persistent attacker. The malware is able to persist in the compromised network and interfere directly with critical working processes in that facility.
How dangerous is Industroyer?
The potential damage depends on the configuration of that particular facility and can vary, for example, from one substation to another, and can be anything from a simple local blackout, through to cascading failures, or potentially to even greater damage to hardware.
How is this possible?
The biggest problem is that these industrial systems and the communication protocols that they are using – that Industroyer is targeting – are used worldwide and were developed decades ago without security in mind.
Why is Industroyer compared to Stuxnet?
The gang behind Stuxnet definitely knew what they were doing. They were targeting the Iranian nuclear program. The malware was able to take direct of control centrifuges at nuclear facilities.
The same applies to Industroyer, or the gang behind it. They have demonstrated deep knowledge of Industrial Control Systems and within the malware, they implemented functions that are able to communicate directly with the switches and circuit breakers used in power grid substations.
Is Industroyer responsible for the blackouts in Ukraine?
The larger blackout happened in December 2015, where around 250,000 households in several regions in the country went without power for several hours. This was facilitated by malware called Black Energy. In December 2016, almost exactly one year later, there was another blackout. Smaller in scale and lasting only one hour, it hit only one region, but was conducted with a more advanced malware. That is Industroyer, which is suspected to be the cause in this case.
Who is responsible for this attack?
Attribution of these types of attacks is always tricky and often impossible. This time there are no clues to point in any one direction and we do not want to speculate, of course.
What is the main takeaway from the analysis of Industroyer?
The relatively low impact of the recent blackout stands in great contrast to the technical level and the sophistication of the suspected malware behind Industroyer. So, the possible explanation for this – which is the opinion of many security researchers – is that this was a large-scale test.
Whether or not that is true, the main takeaway from this (analysis) should be that this is a wakeup call for all those responsible for the security of critical infrastructure (systems) worldwide.
Read more about the Black Energy malware, which was responsible for the December 2015 power outage in nearly 250.000 households.
The video of this transcript can be viewed below: