A malware which has the ability to take down a city’s electrical and power grid has been detected.
Named ‘Industroyer’, the malware was identified after an attack on Kiev in 2016. An analysis by ESET of the malware has found that it is capable of controlling electricity substation switches and circuit breakers directly. This is done using industrial communication protocols used around the world in power supply infrastructure, transportation control systems and other critical infrastructure systems (such as water and gas).
In particular, Industroyer uses protocols in a common fashion, and its core component is a backdoor that attackers use to install and control the components. The malware connects to a remote server to receive commands and to report to the attackers.
It also uses Tor software to communicate privately with command and control servers, while an additional backdoor is designed to regain access to the targeted network in case the main backdoor is detected and/or disabled.
Anton Cherepanov, senior malware researcher at ESET, said: “While being universal, some of the components in analyzed samples were designed to target particular hardware. For example, the wiper component and one of the payload components are tailored for use against systems incorporating certain industrial power control products by ABB, and the DoS component works specifically against Siemens SIPROTECT devices used in electrical substations and other related fields of application”.
ESET acknowledged that while the investigation into the Ukrainian power outage is still ongoing, it was not able to confirm that the Industroyer malware was the direct cause.
Source: Info Security