Recently, the malware called CrashOveride that disrupts an energy system in Ukraine. In that incident, the hackers temporarily shut down one-fifth of the electric power generated in Kiev. And, it left almost 225,000 customers without power.
So, hackers associated with Russian Government have devised a cyber weapon that has the potential to be the most disruptive yet against electric systems. This newly developed cyber weapon is actually what on Americans depend on for their daily life.
Sergio Caltagirone, director of threat intelligence for Dragos said, “With some changes, it could be deployed against US electric transmission and distribution systems to devastating effect.”
“It’s the culmination of over a decade of theory and attack scenarios. It’s a game changer.”
Dragos named the group of its developer as Electrum. And it used the same computer systems as the hackers who attacked the Ukraine electric grid in 2015.
John Hultquist, who analyzed both sets of incidents while at iSight Partners said, “The same Russian group that targeted US [industrial control] systems in 2014 turned out the lights in Ukraine in 2015.”
Now, Hultquist team named the group Sandworm.
He said, “Sandworm is tied in some way to the Russian government. They might be contractors or actual government officials, we’re not sure. We believe they are linked to the security services.”
CrashOverride is only the second instance of malware specifically tailored to disrupt or destroy industrial control systems. At the other side, Stuxnet was an advanced military-grade weapon designed to affect centrifuges that enrich uranium. It was the worm created by the United States and Israel to disrupt Iran’s nuclear capability.
The malware is actually like a Swiss Army knife, where you flip open the tool you need and where different tools can be added to achieve different effects. It can be modified to attack different types of industrial control systems, such as water and gas.
CrashOverride manipulates the settings on electric power control systems. It scans for critical components that operate circuit breakers and opens the circuit breakers, which stops the flow of electricity. It also has a wiper component that erases the software on the computer system that controls the circuit breakers.
Robert M. Lee, chief executive of Dragos said, “Through it, the attacker can target multiple locations with a time bomb’ functionality and set the malware to trigger simultaneously. That could create outages in different areas at the same time.”
“The outages would last a few hours and probably not more than a couple of days. It may due to U.S. electric industry has trained its operators to handle disruptions caused by large storms. They’re used to having to restore power with manual operations.”
“Thus the malware is a significant leap forward in tradecraft, it’s also not a doomsday scenario.”