What are you looking for?

By Cameron Camp, Security Researcher, ESET

Industroyer, the recent complex malware targeting industrial control systems, offers attackers a modular complex way to attack systems like the power grid. What are the implications of this?

For years, adversaries have been quietly testing the defenses of bulk critical infrastructure like gas and oil systems, hydroelectric dams and the power grid. In recent years, starting with Stuxnet in 2010, more focused attempts at directly manipulating industrial systems have started to gain prominence, including Industroyer, which attempt to directly interact with power system automation. The motivations behind such tests are both alarming and easy to imagine. If a malicious actor can switch off the power across a whole city, for example, that can impact a region’s ability to do business, keep the traffic signals working, keep drinking water running and so on. This can have the effect at disruption similar in some ways to a traditional kinetic attack – exploding ordnance to disrupt a city center, for example.

The first test of this type of attack strategy was leveled against the Ukrainian power grid in 2015, shutting off customers’ services by causing related production equipment systems to fail. A similar attack took place in December 2016; the malware used in this case was identified by ESET as Win32/Industroyer.

In the malware world, bad actors like to reuse effective tools as long as possible. Due to the current modular approach to attack software, modules can be swapped out with others to suit a particular target and opportunity. That is why they are so difficult to detect and stop, because no two look exactly the same. In this case, that means they used standard protocols like IEC 60870-5-101, IEC 60870-5-104, IEC 61850, and OLE for Process Control Data Access (OPC DA). These are ubiquitous in use across power systems worldwide, not just in Ukraine (though more worldwide use would likely involve supporting the DNP3 protocol), and are noteworthy in that the attackers took special efforts to use these standards as they were intended – making it very difficult to detect based on malformed commands or network traffic. Basically, the systems were doing exactly what they were supposed to do. It is only when viewed as a whole can a pattern be seen that these facilities were under attack. For example, it is normal to switch large control equipment on or off, but not hundreds of times in quick succession.

Meanwhile, the providers of critical infrastructure, already tapped by budget constraints, are faced with upgrading decades-old systems with defenses that weren’t even imagined when they were originally built.

But the expected lifespan of this equipment might be 30 to 40 years or even more. So when the operators hear about some new network-hardened version of the same equipment, the motivation to swap a working, super-expensive piece of gear is understandably low.

As companies are forced to roll out centralized management to these old, stable systems, problems can start to occur.

There are companies rolling out network defenses aimed at critical infrastructure, but as malware-based attacks have taught us, speed is everything. Scammers want maximum return on investment, and fast.

We get asked whether these complex attacks use super specialized zero-day attacks. The answer is “no.” They focus on standard tools that are difficult to ban from a typical working environment. It would be like trying to ban screwdrivers from a car mechanic shop, it just won’t happen. Since they mash these tools up quickly into an ecosystem aimed at a particular target, no two attacks look the same.

If you’re the victim, the first thing you want to know is what is happening, but the second is who did it? That’s a tough question. Certainly, in the case of Industroyer, there were hints that Russian-speakers were involved in the construction, but that’s far from conclusive. Eager to lay blame, it’s tempting to combine this with a perceived strong motive and paint with large strokes that it was a particular actor, in this case, actors in Russia. But cybersecurity is more nuanced. If a bad actor wanted to paint Russia as a target, this would also be a tactic they might use. So there’s no conclusive way to name an attacker here.

Interestingly, however, the attacks rely on the victims using older, unpatched systems to gain access, along with operators who are not necessarily tech-savvy who might fall victim to things like targeted phishing attacks, or plugging in infected USB drives.

So the infrastructure providers scramble to educate their employees, train new recruits about network-based attacks, and keep the whole system running smoothly in the meantime, no easy task. Luckily, these providers are also starting to engage security specialists who can help them get up to speed and try to tune their defenses accordingly.

In any case, there seems to be a generational knowledge gap in ICS. Many operators who are regarded as experts and run large systems went to college when there was no internet, let alone threats coming over the internet. Since many are nearing retirement, they see little incentive to learn about packets, ports, protocols and protecting systems that have been working smoothly for decades. They’re probably at the top of their pay scale, so there’s little financial incentive for them really.

But as they retire, and new engineers, who were raised during an internet generation, will start to replace the old guard, they are bringing with them a new approach to keeping these systems safe.

By working together, we hope to bring the right tools and expertise to bear on the bigger job of keeping us all a bit safer, and with all our lights, water and industrial systems working fine for the long term.