Crash Override: who and how arranged the cyber attack, which left several districts of Kiev without light

And the more a virus capable of hacking into electrical networks threatens the world.

Crash Override: who and how arranged the cyber attack, which left several districts of Kiev without light
Reuters Photos

In mid-December 2016, the fifth part of the population of Kiev for an hour was leftwithout electricity. In January, experts suggested that this was the result of a hacker attack on the equipment of the Ukrenergo power station, similar to the one year earlier in the Ivano-Frankivsk region.

But if on December 23, 2015, it was a straightforward hacker seizure of remote control over the management interfaces of the Prikarpatyeoblenergo station (one of the employees told how the cursor moved on the monitor right before his eyes, but he could not intercept it) in order to prove the intervention of burglars, it took more than six months . 

Evolution of the used software

It is not known what the hackers who attacked Ukrenergo call their virus. In one of the documents, the hacking tool appears as an Industroyer, in the other, called Crash Override.

It is almost impossible to discern similarities between the two attacks with a difference in the year: they are exhausted by the fact that both occurred in December and in both cases the Ukrainian grid were the victim. Technically, nothing like that.

On the eve of Christmas 2015, rather primitive tools were used to hack the power system in Western Ukraine : the BlackEnergy and KillDisk Trojans to penetrate and then to disable the system — publicly available remote controls (although they completely took control, preventing the user from acting independently).

In 2016, bypass security systems were carried out covertly and more professionally. Some experts suggest that if in the first case the shutdown looked more like a demonstration of brute force or provocation, the second attack was a test drive of the new software.

In addition, Crash Override is “a much more scalable tool than what was used in 2015,” says Robert Lee, founder of Dragos Inc. , a privately held company dedicated to research and ensuring cybersecurity, “one and a half years ago to attack three regional sites needed 20 people coordinated among themselves, then this time the same people can launch an attack on 15-20 unrelated energy systems, if not more. ”

If this is true, then several conclusions of varying degrees of catastrophicity can follow from this.

Backdoors and infected systems

Firstly, it is likely that the systems of a power plant that has been attacked may still be infected or have “black moves” left by hackers to re-enter. The fact is that neither the representative of Dragos, nor the experts of one of the largest players in the ESETe-security market could find out exactly how the penetration was accomplished (In ESET they assume that phishing email addresses were used, as it was in 2015, but the confirmation this is not).

But it is known that this time the used malware worked on the principle of “logical bomb”. This means that it was outwardly independent: in order to launch an attack, it was not necessary that the hacker was directly present in the system at the time of launch. In addition, it was found that Crash Override is able to clean up the traces of their actions after the end of the attack, but whether it leaves backdoors ( defects that later allow unauthorized access to the data. – Approx.  ) is unknown.

What else was hacked?

Secondly, it is impossible to say which other power stations can be hacked and which of them have already introduced malicious components that are waiting in the wings.

It is also important that despite the fact that the hacker program was focused on the standard protocols of the Ukrenergo software, Robert Lee notes that the virus can easily adapt to the design of other power grids. “It is alarming that there is nothing to say about the fact that this can happen not only in Ukraine”,  he says.

Experts also suspect that, among other things, hackers have taken advantage of the vulnerability of Siemens equipment, known as SIPROTEC. And Siemens equipment is supplied to power plants around the world. An attack using this problem can block control of the system until the operator manually restarts it.

However, in June 2017, representatives of Siemens made a statement that the vulnerability was closed by the firmware update, released in the summer of 2015. The company expects that all responsible users have installed it.

Destruction of physical infrastructure

Third, Crash Override or Industroyer, whatever it is called, is a potentially very dangerous virus. All experts agree on this. After all, this is only the second time in history when objects of a physical infrastructure are subjected to a targeted hacker attack (and so efficiently). The first was the Stuxnet virus, used in 2009 by the US and Israeli intelligence services to destroy uranium enrichment centrifuges in Iran.

Another unpleasant moment is that Crash Override operates with the standard capabilities of the grid management system, that is, it uses the cracked software not in any exotic way, but for its intended purpose, simply radically. The fact is that at the time when these protocols were being developed, the power systems (as well as the water pipes, transport management programs and everything else that could potentially be infected with Crash Override) were autonomous, and now they can be invaded from the outside. As the experiment conducted in 2007 showed , in this way it is quite possible to achieve, for example, self-burning of electrical equipment.

Autonomy, the risk of destruction of equipment, and the fact that the program focuses not on distorting systems, but on overloading them within the existing functionality  all this makes Crash Override a very dangerous tool.

Who did this?

Since the past hacking of this magnitude was carried out jointly by the military intelligence of two technologically advanced states, it can be assumed that the words of the President of Ukraine that he sees the “Christmas attacks” trace of the notorious “Russian hackers” may be correct. Some representatives of the Ukrainian cybersecurity community agree with him . At the same time, it is also not worthwhile to exaggerate the complexity of such operations in modern conditions. For example, the publicly accessible port search tool of webcams, routers and printers Shodan in 2015 allowed hackers to detect vulnerabilities in managing first the access system to the reactor of one of the European nuclear stations, and then the particle accelerator used by CERN experimenters.

However, since so far none of the analysts have managed to find traces of the creators of Crash Override, the question of whose hands are weapons of such destructive power remains open.

Back to top button