[SystemSafety] Ukrainian Electricity-Grid Malware Found "in the Wild"
Peter Bernard Ladkin
ladkin at rvs.uni-bielefeld.de
Sun Jun 25 08:31:19 CEST 2017
In Risks Forum 30.34 there was a pointer to an article in ars technica by Dan Goodin on malware used
to attack the electricity grid in Kiev in 2015. This is apparently an automated advance on methods
used by the same suspected group to attack the Ukrainian grid in December 2015.
https://arstechnica.com/security/2017/06/crash-override-malware-may-sabotage-electric-grids-but-its-no-stuxnet/
Goodin relies on a report from security firm Dragos
https://dragos.com/blog/crashoverride/CrashOverride-01.pdf . There is also a short report from Anton
Cherepanov of Slovakian antivirus company ESET
https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/
Dragos credits ESET with notifying them of the existence of the malware. BTW, Dragos is incorrect in
suggesting that 104 is an IEC protocol (see, e.g., Figure 1). There is an ETSI TS 104 specifying
communication protocols for low-level devices in the so-called "smart grid" (unlike IEC standards,
the ETSI standard is available for free on-line - reference below).
The 2015 attack used some tools to wipe traces, but it was largely executed by humans. The short
March 2016 SANS report can be found at
http://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf See the last
paragraph of "Capability", on pp5-6, for the attribution of the outages to direct interaction with
the adversary.
The newer more-automated version includes exploits using standardised communication protocols for
electricity-grid operations. Goodin says:
[begin quote Goodin]
The fluency in at least four international communications protocols used in electric grids is a
testament to the "tradecraft" of Crash Override. The mastery means that the team that developed the
malware had extensive experience with the way electric grid systems work.
[End quote Goodin]
I checked. IEC 61850 concerns "Communication networks and systems for power utility automation" and
has 29 parts https://webstore.iec.ch/publication/6028 The first six parts alone incorporate almost
850 pages (I assume from experience that about a third of this will be boilerplate, but still it's a
lot). ETSI TS 104 concerns "smart-grid" protocols
http://www.etsi.org/deliver/etsi_ts/104000_104099/104001/02.01.01_60/ts_104001v020101p.pdf Yes, it
looks to me as though experience is required just to be able to find your way around these standards.
PBL
Prof. Peter Bernard Ladkin, Bielefeld, Germany
MoreInCommon
Je suis Charlie
Tel+msg +49 (0)521 880 7319 www.rvs-bi.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20170625/d46ee060/attachment.sig>
More information about the systemsafety
mailing list