As the mercury plunged to -9°C, heaters and lights at homes across northern Kiev suddenly switched off.
In the freezing December night, neighbourhoods were left in the dark a few minutes before midnight and stayed without power until after 1am.
Almost exactly a year before, on 23 December 2015, roughly 225,000 people were hit by a power cut in the country. Both outages have now been blamed on cyberattacks, with Ukrainian officials pointing the finger at Russia.
This week, experts say they have identified the malware responsible for the attack on 17 December 2016. The ominously-titled “Industroyer” program was used, say researchers from security company ESET.
The name is all too fitting, say the team. The malware can control electricity substation switches and circuit breakers, but evades detection thanks to its authors’ “deep knowledge and understanding” of industrial control systems (ICS) and other features that keep it under the radar.
What makes Industroyer particularly threatening, however, is its ability to be transferred to a huge range of other systems. “The malware is capable of doing significant harm to electric power systems and could also be refitted to target other types of critical infrastructure,” says researcher Anton Cherepanov in a new report. Some think the 2016 attack was a test run, ahead of a wider deployment.
“Attackers could adapt the malware to any environment, which makes it extremely dangerous,” says Cherepanov. “Regardless of whether or not the recent attack on the Ukrainian power grid was a test, it should serve as a wake-up call for those responsible for security of critical systems around the world.”
Industroyer’s adaptability has been called a “big leap forward” on previous malware such as Stuxnet, which targeted the Iranian nuclear power programme. The new program is highly customisable, meaning it can be changed to target particular hardware, and it exploits ageing ICS which have been hooked up to the internet worldwide – often without proper security in place.
“Since the industrial controls used in Ukraine are the same in other parts of Europe, the Middle East and Asia, we could see more of these attacks in the future. And while these attackers seem to be content to disrupt the system, it’s not outside the realm of possibility that they could take things a step further and inflict damage to the systems themselves,” says Terry Ray from security company Imperva.
As well as power grids and water companies, which both use ICS heavily, large scale automation in sectors such as manufacturing, shipping, aerospace and others use the vulnerable systems. With widespread vulnerabilities and insufficient security patches, countries around the world are at risk of attack, Ross Brewer from automation company LogRhythm tells Professional Engineering.
“The risks are obvious, any critical national infrastructure is a target and we have people that are out there now that are motivated from an ideological perspective or a political standpoint,” he says. Attackers could work intelligently, targeting key vulnerabilities in grids or systems to achieve maximum impact, he adds.
A 2014 report claims an attack on just nine substations around the US could cut power for the entire nation, despite 55,000 transmission substations working around the country. A sabotage attack could potentially cut power for months, causing huge disruption.
‘Million things’ to protect
Although Industroyer is concerning, says Tenable “ethical hacker” Gavin Millard to PE, there are more fundamental issues that must be addressed. The program, and recently-used ransomware like WannaCry, exploits already-identified vulnerabilities.
Millard says he is “more worried about the ability for malware to be created that takes advantage of known flaws in critical national infrastructure and others around the globe. If you look at WannaCry, if you look at Industroyer, it is leveraging known issues to be able to break in, it is really the codification or the simplification of those attacks into a single binary.”
Security patches are not developed quickly enough and organisations do not install them promptly, adds Millard. Companies and governments must shift the focus on to “compensating controls,” monitoring users and traffic, he says. “You have got thousands, millions of things to protect and a hacker only really needs one thing to get in, so it is a really, really difficult battle.”
To keep people safe and networks running, organisations must look beyond obvious features such as firewalls and patches, and fundamentally overhaul their approach to security, says Brewer. “Organisations need to shift to monitoring for indications of compromise at the earliest stage, so more early monitoring and more rapid response,” he says.
With researchers suggesting the Kiev attack was simply a test, it is clear that organisations must act to protect themselves and others – sooner rather than later.