Industroyer or the New Specific Malware Development Environment for Industrial Control Systems

It has been 7 years since Stuxnet showed its face, seriously affecting industrial control systems. As is known, this APT was specifically developed to attack the distributed system of Siemens PCS7, the S7 series of PLCs and the SCADA WinCC. A total of up to 22 plants and more than 100,000 infected PCs were counted, although the best-known case is the one that affected the uranium enrichment plants in Iran, in particular the Bushehr Nuclear Power Plant and the Natanz Nuclear Complex.

On the other hand, in December 2016, the energy management infrastructure in Ukraine was the target of a cyberattack, leaving a fifth of the country’s electricity grid without power for 72 minutes (affecting more than 250,000 homes). This attack has been the subject of analysis and study, and recently, ESET has discovered and named the malware that carried out this attack Industroyer (Dragos has named it CrashOverride).

If we take a look at the attack vectors used by Stuxnet to affect industrial control systems, we can see that Industroyer uses similar means.

• Through social engineering techniques or similar, it is able to install a Backdoor in the real-time systems that manage the electricity distribution network.
• Industroyer is composed of 4 Pay-Loads that allow access to the “Power Circuit Breakers” themselves, that is, devices (type switches) that are installed in electrical networks to avoid overloads. Figure 1, extracted from the document generated by ESET, describes these Pay-Loads.

• It takes advantage of the typical vulnerabilities of specific protocols (which do not incorporate security) that converge in the “Smart Grid” such as: IEC 60870-5-101, IEC 60870-5-104, IEC 61850 and OPC DA.
• The communication with the C&C is carried out anonymously, using the Tor network for this.
• It has the capacity to be “deactivated” for a time, so that, as happened with Stuxnet, it would be activated at a certain moment.
• It is a modular malware. Does this mean that we are facing a specific malware development environment for industrial control systems? Sincerely, I think so. In fact, ESET has verified that some of the Payloads can affect some ABB control systems and the SIPROTECT device from Siemens, a typical device that is deployed in electrical substations.

Today it is Industroyer, and tomorrow it will be another APT that can massively affect critical infrastructures. If you want to know what technological solutions you can incorporate into your operating environment to increase its cyber resilience, we recommend that you join us during the Cybersecurity Conference in Industry 4.0 and Critical Infrastructures. We will wait for you!!

For more information about Industroyer, we recommend that you read this article generated by the manufacturer ESET or get in contact with us so we can help you!