INDUSTROYER/CRASHOVERRIDE: ZERO THINGS COOL ABOUT A THREAT GROUP TARGETING THE POWER GRID presented at blackhat 2017

by Robert E. Lee, Ben Miller, Robert Lipovsky, Anton Cherepanov, Joe Slowik,

Summary : The cyber attack on Ukraine's power grid on December 17th, 2016 was the second time in history a power grid had been disrupted due to a digital attack. The first was Ukraine December 23rd, 2015. But unlike the 2015 attack, not much details have been public about the threat that faced the power grid in 2016 until now. In June, 2017 ESET released a report on a malware sample they identified as Industroyer. They passed the sample ahead of time to Dragos, Inc. who focused on the industrial control system (ICS) aspects of the malware and revealed new functionality that spelled a nightmare scenario for power grid operators: ICS tailored malware capable of disrupting grid operations at scale in environments independent of system choices. Dragos identified the malware family and new functionality as CRASHOVERRIDE.
This talk will walk through the Ukraine 2015 and Ukraine 2016 events with a central focus on the malware, technical analysis of it, and the impact to grid operations. There have only been three other pieces of ICS tailored malware publicly revealed before (Stuxnet, Havex, and BlackEnergy2) making this malware of particular interest in the community. The fact that it could be re-purposed immediately to target grids around Europe and with simple modifications target grids in the United States marks a hallmark event. Defense is doable and our grid operators are actively defending our infrastructure. But learning from such a significant threat is vital to making sure our defensible systems stay defended.