Industroyer
In today’s world, since the evolution of technology is so progressed, we have to think of ways on how different infrastructures can be modified with malicious intent via Cyberspace
Electric Grid systems are not only holding cables and delivering power to households, industrial locations, and businesses. Since the Power distribution balance is achieved with PLCs and SCADA systems, we have to investigate all the previous attack attempts and see if we can do a workaround and be one step ahead of the attackers’ but this will be a collection of malware that were used to affect power grid systems.
As many industries are connected to the Power grid, load balancing requires different systems and communications. For example, as every business has different needs of power, there many different mediums for generating electricity from power plants, like gas, coal, nuclear, renewable energy and hydroelectric, etc… From these sources, officials need to balance the consumption of energy.
And for that reason, a power grid needs to be an enormous, almost living, and breathing creature that can supply energy all over the region or country.
This creature is using SCADA systems to manage the balance of power with the help of substations, where PLCs are located which are connected to the SCADA system.
These controllers can be configured remotely and on-site to ensure power distribution and stability. for example, if a circuit breaker is deactivated in a Substation it will connect back to the main grid and can hinder operational functioning and cause disruption on the power grid as a whole.
Mostly IEC104 protocol is being used based on TCP connection therefore, a Power grid controller system is a great mixture of IT and OT technology
To be able to see the damage of attacks targeting the grid we need to see the predecessors that did damage in an industrial environment Starting from 2015
STUXNET
When this Malware hit the world the first time, it was in the news all over the world. The most famous example of this malware was the Natanz nuclear facility in Iran.
It was the first confirmed custom ICS malware, and it included 4 zero-day exploits and got out of hand very quickly and efficiently. It showed that the payload and its content as proof of a detailed understanding of industrial processes. STUXNET’s greatest strength was taking advantage of functionality in Siemens equipment to interact with nuclear enrichment centrifuges through abuses of features and functionality.
The purpose of the Siemens equipment was to be able to control and change the speed of the centrifuges. Stuxnet did this as well, but with pre-programmed knowledge. It basically spins the centrifuges at speeds that would cause the centrifuge to burst from their casings and fed the controller false information regarding the speed.
Stuxnet is not just an example of a hybrid, ICS-OT malware, but one of the earliest examples of APT attacks, developed by nation-state actors.
Dragonfly/HAVEX
The Havex malware has two primary components: A RAT and a C&C server written in PHP. Havex also includes an OPC (Open Platform Communications) scanning module used to search for industrial devices on a network. The OPC scanning module was designed to scan for TCP devices operating on ports 44818, 105, and 502. Researchers at SANS noted these ports are common to ICS/SCADA companies such as Siemens and Rockwell Automation. The Dragonfly group utilized Havex malware in an espionage campaign against energy, aviation. pharmaceutical, defense, and petrochemical victims. Researchers at Symantec observed Havex malware began seeking energy infrastructure targets.
BlackEnergy 2
BlackEnergy 2 uses sophisticated rootkit/process-injection techniques, robust encryption, and a modular architecture known as a “dropper”. [6] This decrypts and decompresses the rootkit driver binary and installs it on the victim machine as a server with a randomly generated name.
This ICS malware contained exploits for specific types of HMI applications including Siemens SIMATIC, GE CIMPLICITY, and Advantech WebAccess. It’s a smart approach by the attackers to target internet-connected HMIs. when spoofing of the HMIs, the attackers had access to a central location in the ICS /SCADA to start to learn the industrial process and gain information through the HMI.
BlackEnergy 3
The latest full version of BlackEnergy emerged in 2014. The changes simplified the malware code: this version installer drops the main dynamically linked library (DLL) component directly to the local application data folder. This variant of the malware was involved in the December 2015 power grid cyberattack in Ukraine. That attack was revolutionary as it was the first-ever when a malware disrupted the Power Grid System, however, it did not contain ICS payload or components.
Instead, the attackers used an IT-related vulnerability in the BLACKENERGY 3 malware to gain access to the corporate networks of the power companies and then pivoted into the SCADA networks. When the attackers managed to get access, they took control of the network for themselves and they disconnected substations while leaving 220,000+ people in total blackout for more than 6 hours.
To do this, they used the KillDisk malware as the content of the payload and bricked serial to ethernet devices through infected firmware updates. These actions left the Ukrainian Grid Operators without a SCADA system; therefore they lost all ability to control and to countermeasure the attackers’ activity.
The above-mentioned malware were the first instances of ICS-related tailored payloads. By combining all of the above and further refining their approach, the attackers developed what we know today as CrashOverride or Industroyer.
„CRASHOVERRIDE” INDUSTROYER
At the same time, it is the fourth malware publicly revealed to target industrial control systems, after Stuxnet, Havex, and BlackEnergy.
The malware was discovered by ESET and they named it Industroyer, While ESET worked in cooperation with Dragos, their engineers named it CrashOverride.
After the detailed investigation of the malware and payload, it revealed that it was designed to disrupt the working processes of industrial control systems, specifically those used in electrical substations. the framework contained the following. Main backdoor, additional backdoor, launcher component, and the four payloads with a data wiper component.
The payload targets particular industrial communication protocols specified in the following standards: IEC 60870-5-101, IEC 60870-5-104, IEC 61850, and OLE for Process Control Data Access (OPC Data Access).
Key features of the Backdoor / RAT components summary
Uses local proxy authentication via internal network before backdoor installation. After the authentication, it opens an HTTP channel to an external C2 server (Command and Control) through an internal proxy. The payload receives commands from this external C2 server. usually, the first task is to create a file on the local system and overwrite the existing service to point to the backdoor so the malware is able to sustain presence between reboots of the infected devices.
After this, the ICS network is breached and the malware is communicating to an internal proxy port TCP 3128, which is the default listening port for the Squid Proxy. It constantly pings the C2, until the connection is established. The packets contain HTTP POST request with the target computer within the HTTP body. That will authenticate the victim computer to the C2 server. If there is no reply from the C2 server, the backdoor stops attempting.
if the C2 server can authenticate the connection through the proxy, the malware initiates an HTTP CONNECT from the attacker infrastructure.
Upon checking on TOR, the IP addresses were listed as ACTIVE when investigating the event after the occupation of the Power Grid controller.
The malware is able to output different hard-coded values to the ICS network of the victim.
Industroyer hard-codes were able to create new processes as a logged-in user or via CreateProcessWithLogo. It can write and copy files, execute remote commands as a logged-in user or a targeted user.
There was a Stop service feature implemented in the code if something goes wrong, and a killswitch was implemented as well which could Kill the backdoor.
The backdoor was found in 2 instances on the victim PC (C:\Users\Public\ or C:\Users\)
This is nothing to do with the analysis but it is a good indicator for the observed activity and can be used to detect this malware with host-based indicator checking.
If the backdoor fails in the process of service manipulation it won’t be able to connect to the C2 server and can’t persist after a reboot, the presence will be still there on the Disc but it is not effective at all.
Another piece of evidence was found which is absent from most remote access tools, a command to exfiltrate data. Anyone would think it could be exploited as its basic options contain file copying and loading on the host computers as an all-encompassing backdoor and espionage framework, but instead of these functions, this tool is explicitly designed for facilitating access to the machine and executing commands on the system and cannot reasonably be confused with an espionage platform, data stealer, or another such item
Launcher Module Summary
It is responsible for the backdoor function to be installed which will manipulate the ICS network and wreak havoc via the Wiper feature.
It is very sneaky as it hides between the services on the computer and loads in the payload modules with a command line while executing.
After startup, it will begin a 1-2 hours countdown before using Data Wiper
While loading in the attack sequence the payload must be loaded from a different loader.
Parameters in the EXE:
Launcher.exe <working Directory> payload.dll configuration.ini
When the launcher successfully executed, it will start a service „defragsvc” and after that, the DLL loads via an exported function with the name of Crash, and a new high priority thread develops on the target computer. The launcher passing the control to the loaded module in the 2-hour countdown period right before Disk Wipe.
Data Wiper Module summary
The wiper module was responsible to clear registry keys with the associated system services. Then all configuration on the ICS system gets overwritten from the Hard Drives and every internally mapped network targeting ABB PCM600 config files. Also, in the meanwhile, it is overwriting original windows files and makes the system inaccessible and unusable.
As its first goal, it will write zeros to the registry key values.
e.g: SYSTEM\CurrentControlset\Services
After manipulating the values in the registry keys and overwriting it to all 0 will render the system unusable
The Wiper is searching for file extensions not just configuration files linked with ABBPCM600 files.
a few examples of extensions being hunted by the wiper:
.pcmp ; .pcmi ; .pcnt ; .CIN ; .PL ; .paf
Most of them can be associated with ABB PCM600 the rest is for PLC archive files and PLC config files.
IEC 104 MODULE summary
The module has 4 modes for total effectiveness. The first mode is the Sequence mode which is responsible for continuously monitoring open RTU IOAs.
The second mode is Range mode which investigates all RTU on the system for valid IOAs and can toggle IOAs between open and closed status.
The third mode is Shift mode and the fourth is Persist mode. These 2 modes were never used and were never seen in action in the Ukraine attack, as it was not fully implemented.
When the module reads a config file of an RTU, it will kill the legitimate master process and masquerades itself as the master process then using the above-mentioned modes.
The module CrashOverride IEC 104 is a whole implementation to IEC 104 to serve in a „MASTER” role. This unique functionality provides tailored manipulation and the exposed victims access becomes confined.
The module may set specific values and constantly set the IOA to open and enumerate IOA on target devices to operate the circuit breakers
IEC 101 Module
Based on the findings of ESET it’s proven that the only difference in functionality is, that the 101 module communicates over serial but in every other aspect it is the 104 module.
IEC 61850 Module
Based on the findings of ESET this module was used to enumerate the local network to identify targets if it could not leverage a configuration file. It communicates if a potential target is connected to or controls a circuit breaker switch.
OPC DA Module
Based on the findings of ESET this module does not require a configuration. it is looking for ABB subsets by enumerating OPC servers and their associated items. If found then it will re-write the value twice to 0X01 and by that the primary value changes to out-of-limits device status.
SIPROTEC DoS Module
Based on the findings of ESET this module exploiting CVE-2015-5374 causing SIPROTEC digital relays to go into an unresponsive state by sending UDP packets to port 50000.
Attack Options
1. First Attack: De-Energize substation
This requires one or multiple RTU targeting information because without that knowledge the attack not possible. When the sequence hits the appropriate address the command begins an infinite loop and starts to set new values to the point to open a breaker that de-energizes the substation.
Many variables need to match for this type of attack: system dynamics, power flows, etc.
In most cases, it won’t have an immediate effect on a substation so the human workers might be unaware of it.
If activated, the remote team probably has lost all control from the Substation and it’s required to send a crew on site. If the crew is working well, the infected substation only causes a few hours of outage, but it’s well enough to execute other operations or damage the reputation of the operator.
2. Second Attack: Force an Islanding event
It begins the same way as the first option, but this uses the range command to begin the loop, which toggles between the status open and closed, which will trigger the self-protective capability of the substation and changing the status of the breakers automatically to a forced „islanding” mode. The breaker goes Offline due to the self-protection protocol. If there are multiple substations being attacked at the same time, the multiple „islanding” events could cause a grid-wide catastrophe.
3. Third Attack: Abusing CVE-2015-5374
A more severe approach to the „islanding” event is to hamper with protective relays.
This kind of attack can be amplified by creating a denial of service against the self-protective automated system. At this time, it is believed that CVE-2015-5374 causes a denial of service (DoS) of the complete relay functionality and not just the network communications module.
Hampering the protective scheme by disabling the protective relays can broaden the islanding event and, if done at scale, could trigger a larger event causing multiple substations and lines “islanding” from the electric grid
Air gapped networks, unidirectional firewalls, anti-virus in the ICS, and other passive defenses and architectural changes are not appropriate solutions for this attack. No amount of security control will protect against a determined human adversary. Human defenders are required, who are alert 24/7/365 and can use active measures (SOC, CFC).
Transmission and distribution companies should not rely on the usage of other protocols such as DNP3 as a protection mechanism. The completeness of the CRASHOVERRIDE framework suggests there may be other undisclosed modules such as a DNP3 module. Also, adding this functionality into the existing framework would not require extensive work on the part of the adversary
Conclusion
Today most people think the threats of life are Nature-based (earthquake, tsunami, climate change) or perhaps economics-related.
But in reality, a new type of threat is getting more and more serious every day.
Our way of life is very dependent on different industrial sites such as water treatment, power distribution, waste disposal, and so on and if these sites are attacked it could lead to mass outages in various areas or in worst case scenario a whole country outage, what can cause not just losses in technological terms, but in human life too.
We simply haven’t realized the fact, that the industrial cyberattacks are real and there are actors with bad intentions who can successfully attack public service industrial sites.
CRASHOVERRIDE is a great example of tailored ICS malware, and we can only guess what would have been the outcome if the malware reaches multiple electric grid sites at the same time, but the same can be told for industrial or water treatment plants.
One big difference between OT and IT is that while in IT, attacks may cause data loss, but in OT it can lead to loss of life, as industrial equipment can be overcharged to cause explosions or to mix poisonous elements back to the water from treatment stations, or worse.
We have to be more cautious and we need to think ahead. This will be a constant battle between Malicious Actors and Cybersecurity experts. We might not acknowledge the truth that our way of life is vulnerable through Industrial vulnerabilities, but soon we have to face the truth if we don’t defend ourselves against them.