Ukraine Paints Grim Portrait Of Cyber Attacks To Come

Jun 12, 2017

The first successful cyber attack on an electric grid in December of 2015 resulted in 250,000 Ukrainians losing power. Nearly a year to the day later, Ukraine's capitol Kiev was plunged into darkness by hackers for over an hour.

ESET, a Slovakian-based cyber security firm, released an analysis Monday of a piece of malware they see as responsible called Industroyer. ESET says the malware took over substation switches and breakers and powered down.

Unlike the previous year, several aspects of the new malware have been automated making it faster and easier to spread. 

"The recent attack on the Ukrainian power grid should serve as a wake-up call for all those responsible for the security of critical systems around the world," said ESET researcher Anton Cherepanov on the company's website.

A big reason Cherepanov says this is the malware can be customized to attack a wide variety of facilities. 

Dragos, a cyber security firm founded in San Antonio, verified several of ESET's results in its own subsequent report on the malware, which it calls "CRASHOVERRIDE."

Dan Gunter, Dragos' Senior Threat Hunter, says the malware can't currently be used in North America because the hack was highly targeted for Ukraine. The protocols, or computer languages, are different in the U.S.

"If they want this to work in the U.S., they just have to do all that research and development on U.S. power grids and they can basically plug it into the same framework," Gunter says.

Gunter's analysis shows that this malware can cause substations to power down, but he says the power to physically damage the infrastructure would require several other sophisticated steps that he doesn't see here. That limits the impact of attacks with Industroyer or CRASHOVERRIDE to hours or days, rather than weeks or months. 

"There are much more significant issues out there that can cause very long-term damage," says Joe Weiss, an Industrial Control System security expert.

Weiss has been talking about these vulnerabilities for a decade. He agrees that this should be a wake-up call for policymakers, but isn't sure it will be.