Security researchers from ESET and Dragos have discovered a brand new malware strain, dubbed Industroyer, that was specifically built to target equipment installed in power grids, and which has already been deployed in live attacks in Ukraine, according to BleepingComputer.com
These attacks took place on December 17, 2016, and have shut down electrical power distribution to a large area of Kiev, Ukraine’s capital.
The incident must not be confused with another cyber-attack that targeted Ukraine in December 2015, which also shut down power supply to large areas of western Ukraine. Those incidents were caused by another ICS malware named BlackEnergy.
The report says the strain detected in December 2016 was found by ESET security researchers, who named it Industroyer. ESET says the malware does not share code with BlackEnergy and appears to have been created from scratch.
Experts say Industroyer was designed to target only a specific set of industrial equipment, usually found in the networks of power distribution companies, such as electricity substation switches and circuit breakers.
The malware doesn’t infect these devices, but regular computers that run ICS/SCADA management software. Experts say Industroyer was designed to relay commands to switches and circuit breakers that support four very popular industry standards (listed below).
This allows the malware to adjust settings or shut down equipment, causing network outages, cascading failures, and even physical damage to equipment. Furthermore, because electric power supply is crucial to other sectors, Industroyer’s damage far exceeds the one that can be assessed by the local power supply companies.
In the past two years, only Ukraine has been the target of power-grid-crippling malware, which coincidentally or not, started after Russia invaded Crimea. Furthermore, tensions between the two countries escalated after Russia started backing rebels looking to set up independent pro-Russian territories in eastern Ukraine.
Based on this alone, many would be tempted to blame Industroyer on Russia. Nonetheless, ESET researchers haven’t gone on record to do so just yet.
“Attribution is always tricky in cyber-attacks, and we always refrain from speculations, even more so when it comes to sensitive geopolitical issues,” Robert Lipovský, senior malware researcher at ESET, told Bleeping Computer via email.
“To attribute merely based on assumptions interests of countries in a state of war without concrete evidence would be pure speculation and dangerous. And in the case of Industroyer, there was no indication in the malware that could point to an attacker – Russian or other,” he added. “As for the possible explanations why Ukraine was targeted, regardless of who may be behind it, that’s a very good question to which we don’t have a definite answer.”