A new cyber weapon has been created by the Russian government (with a little help from hackers) that could cause havoc with our electric systems if it gets into the wrong hands. It’s a type of malware and has been given the nickname CrashOverride. So far we only know of one energy system that’s been disrupted, and that was back in December in Ukraine where hackers momentarily shut down one-fifth of all electricity generated in the city of Kiev.
With just a few modifications it could also be used in an attack against the U.S. electric systems too. “It’s the culmination of over a decade of theory and attack scenarios,” says Sergio Caltagirone, director of threat intelligence for cybersecurity firm, Dragos. “It’s a game changer.” Just last year the Russian government allegedly disrupted the U.S. election and influenced its outcome.
The group behind the malware has been named Electrum and it’s said that they’re using the same computer systems as those used in the 2015 Ukraine electric grid attack. This is the attack that affected more than 200,000 customers and left them without any power for a short while. It was orchestrated by the Russian government, according to U.S. researchers, although U.S. government officials have not yet confirmed that publicly.
John Hultquist is the man responsible for analyzing both the attack on U.S. industrial control systems in 2014 and that which turned out the lights in Ukraine in 2015. He said, “We believe Sandworm is tied in some way to the Russian government – whether they’re contractors or actual government officials, we’re not sure. We believe they are linked to the security services.”
Energy experts are concerned about the new malware, and as a result, the industry is looking at ways to combat potential attacks. “U.S. utilities have been enhancing their cybersecurity, but attacker tools like this one pose a very real risk to the reliable operation of power systems,” said Michael J. Assante, a former worker at Idaho National Labs and former chief security officer of the North American Reliability Corporation.
It’s not common practice for malware to be created specifically to disrupt or destroy industrial control systems and CrashOverride is only the second instance ever heard of. The other was a worm called Stuxnet that was designed to disrupt Iran’s nuclear happenings by affecting centrifuges that enrich uranium. In reference to CrashOverride, “what is particularly alarming… is that it is all part of a larger framework,” said Dan Gunter, senior threat hunter at Dragos. This malware could easily be modified to attack other industrial control systems, including gas and water.
One of the biggest threats with CrashOverride is the fact that it can manipulate the settings of electric power control systems. It does this by scanning critical components that control the circuit breakers and keeps them open even when the grid tries to shut them. As a result, a sustained power outage occurs.
The malware also has the ability to erase the software on the system that controls the circuit breakers, thus forcing the grid to return to operating under manual instruction which would involve someone having to travel to the station to restore power. Multiple sites can be targeted at the same time creating outages in different places simultaneously. Typically the outages would last between a few of hours and a couple of days. So, although the malware would be a pain in the backside for the energy industry, it isn’t the be all and end all, and we can get around it.
More News to Read