The shutdown of Ukraine’s power grid last year was just a warning shot for the world.
In December, hackers caused an hour-long blackout in the Ukrainian capital of Kiev. Experts fear that was just the beginning.
Say hello to Industroyer, a nasty bit of malware that also goes by the name Crash Override. It targets circuit breakers and is able to hijack electrical systems from afar by taking advantage of communication protocols for power supply infrastructure, transportation controls, water and gas systems used all over the world, according to cybersecurity researchers who posted their discovery on Monday.
Attacks on infrastructure like electrical grids, traffic lights and water systems can hit much closer to home than email breaches and data leaks. As technology grows smarter and helps manage our homes, cities and businesses, it’s become a prime target for both criminal and nation-state hackers.
The cyberattack-caused blackout in Kiev did not lead to any disasters, but experts warn that it’s only a preview of the future of cyber warfare. After all, it had been able to shut down one-fifth of the electric power that Ukraine’s capital created.
Attacks targeting infrastructure can lead to chaos, like when engineers hacked into Los Angeles’ traffic signal system and purposely created traffic jams. The researchers who discovered Industroyer warn that it can be used to do significant damage to electrical power systems, and can be modified to hit other kinds of infrastructure. That makes it the biggest threat to industrial systems since Stuxnet.
“Attackers could adapt the malware to any environment, which makes it extremely dangerous,” ESET’s malware researcher Anton Cherepanov wrote.
A successful hack could mean blocking the water supply, thrusting traffic signals into gridlock, or cutting off vital services. There’s no indication where Industroyer came from, whether it was from Russian hackers or other groups. All signs indicate that it was a nation-state behind Ukraine’s shutdown, however.
Considering that the attacks against electrical grids don’t have any financial or espionage gains, it’s most likely to create physical disruptions, said Alan Brill, a senior managing director for Kroll’s Cyber Security Investigations unit.
“We’ve already seen this in Ukraine. If you want to disrupt people’s lives, shutting down the electricity is certainly one way to do it,” Brill said.
Industroyer takes advantage of outdated industrial systems, which were never designed with security in mind, researchers from ESET said. It uses a backdoor attack after it’s installed, and connects to a remote server to receive commands from the attackers.
The issue with the computers running our critical infrastructure is that they’re easy to hijack if you can break into the network they’re on, experts said. With a lifespan of 25 to 35 years, they’re not updated often and don’t get replaced for decades, said Galina Antova, co-founder of industrial security company Claroty.
Once an attacker is in the power grid’s network, she said, everything is up for grabs. There’s no passwords, authentication or encryption that an attacker would have to jump through to stop them.
“This is not rocket science. Anyone who knows how to hack into a network can do it,” Antova said.
From the way Industroyer is written, ESET suspects the authors know a lot more about power grids than the average hacker.
“This malware is definitely the work of extremely dedicated, resourceful and capable attackers with deep knowledge of the architecture and systems in power grid substations,” Robert Lipovsky, an ESET researcher said.
Its features are so hidden that the infected system believes everything is normal, and Industroyer wipes all its traces once the job is done. Some of its tricks include creating an additional backdoor, disguised as the Notepad application. It can also be written to only work during non-working hours, so people can’t stumble across it in action.
Its “time bomb” feature lets the hackers coordinate and set off attacks simultaneously, potentially causing massive outages in multiple areas.
“The recent attack on the Ukrainian power grid should serve as a wake-up call for all those responsible for the security of critical systems around the world,” Cherepanov said.