back to article Move over, Stuxnet: Industroyer malware linked to Kiev blackouts

Security researchers have discovered malware capable of disrupting industrial control processes. Industroyer can cause the same sort of damage as BlackEnergy, a malware strain blamed for attacks on energy firms that caused blackouts in Ukraine in December 2015. The malware may have featured in follow-up attacks last December …

  1. Anonymous Coward
    Anonymous Coward

    The as yet unknown authors of the malware were familiar with industrial control systems.

    No doubt will be blamed on NK or Russia, but really comes with a made in the USA and Israel sticker.

    1. Gideon 1

      Re: The as yet unknown authors of the malware were familiar with industrial control systems.

      Do you wear a tinfoil hat?

      1. h4rm0ny

        Re: The as yet unknown authors of the malware were familiar with industrial control systems.

        >>"Do you wear a tinfoil hat?"

        In the future, I predict, everyone will be wearing one.

    2. Anonymous Coward
      Anonymous Coward

      Re: The as yet unknown authors of the malware were familiar with industrial control systems.

      Not necessary for either.

      You can obtain most SCADA software as part of various Smart City, etc initiatives including hacking contests run in relation to these. There are other ways you can get your mitts on them. While they are still a bit exotic, they are nowhere as rare as they used to be in StuxNet days.

      In fact, if this was built by the "usual suspect" nation state Kiev would have been still sitting without power instead of having a one hour power outage. Anything else aside, the "usual suspect" nation state possess a detailed map and detailed failure analysis for the Ukrainian grid. It can destroy a significant portion of it physically by whacking the substations and links in the correct sequence.

      Now, this does not mean that a nation state (including "usual suspect") has not bought wholesale the author by now. In fact, I suspect he is very comfortable now with his needs fully catered for. Not a bad life. If you are OK to live in a gilded cage of course.(*)

      (*)Disclaimer: my dad simulated a nervous breakdown and tore his doctorate thesis in 1984 in order to avoid getting on the "do not let this person out of the country" list in the "usual suspect" country. He got down to a whisker of the door of the gilded cage shutting behind him so I know from close observations how does this work...

      1. Anonymous Coward
        Anonymous Coward

        Re: The as yet unknown authors of the malware were familiar with industrial control systems.

        Kim Philby certainly had a clear experience of what it was like to live is said cage.

        Never did get recognition as a colonel.

  2. Red Ted
    Facepalm

    Cyber Squirrel

    I'm still more worried about some dumb animals bring down my power supplies: http://cybersquirrel1.com/

  3. Anonymous Coward
    Anonymous Coward

    While in principle it's difficult to attribute attacks to malware without performing an on-site incident response, it's highly probable that Industroyer was used in the December 2016 attack on the Ukrainian power grid.

    Translation: we have absolutely no clue whether the package has any connexion to that power outage, but our little bit of self-promotion sounds a lot more relevant and important if we say this.

  4. Anonymous Coward
    Anonymous Coward

    Assuming this is spread via the internet the the big question is 'why are these controllers connected to the internet'?

    One would think that by now the company security people would be demanding dedicated secure lines to all substations and all marketing wonks and non techies being kept away from the control units.

    1. Anonymous Coward
      Anonymous Coward

      Re Ivan 4

      Have you read and absorbed ANY analysis or commentary on Stuxnet and successors?

      No direct Internet-facing connection is necessary. Sneakernet and a vulnerable carrier (of which there are plenty) is more than sufficient.

      Please, would readers go away and do some homework before repeating these fatuous comments.

      Merci.

      1. Anonymous Coward
        Anonymous Coward

        Re: Re Ivan 4

        @Lache anonyme,

        Having sneakernet work was a bit of luck in Iran. There was no guarantee that some DC would do it. Also, if the ports on the other equipment are correctly configured, then this would not work.

        So, (1) learn some social skills, and (2) learn some manners, connard!

      2. Anonymous Coward
        Anonymous Coward

        Re: Re Ivan 4

        Have you read and absorbed ANY analysis or commentary on Stuxnet and successors?

        Yes I have. The question is do you have any knowledge of standard equipment security?

        I also know about 'sneakernet', hence my comment about keeping certain people away from the equipment. In the factories where my company has IT over-site it is impossible for anyone unauthorised to plug anything into the control system computers (USB ports either disconnected or filled with epoxy, no CD/DVD drive, no floppy drives) and to get at them requires two people with keys to unlock the door and the security person goes with you no matter what.

        1. Anonymous Coward
          Anonymous Coward

          Re: Re Ivan 4

          "The question is do you have any knowledge of standard equipment security?"

          I do, thank you, and if your organisation is doing what you say it is (and some unwritten bits too including the one which follows), you are to be congratulated, because very few of the organisations I've known are so scrupulous.

          Do readers in general (and maybe also your security people, IT people, and the people with cabinet keys) understand that a Simatic HMI device (or other vendor equivalent), "programming panel", or whatever, is often just a Windows PC (with all the usual vulnerabilities and maybe more), in a different-looking enclosure?

          Suppose a suitably authorised person connects the programming box to the site LAN (the IT one not the automation one) for a functional update or to print something or some other legitimate and often unavoidable use. Supposed the box then gets infested, partly because no-one in IT recognises it as a PC, partly because no-one in C+I/ProdEng/etc really understands IT security.

          Then it's disconnected from the site IT LAN and carried (physically or logically) to the automation LAN, where the payload does its work on the automation gear, just as was documented with Stuxnet.

          Again, if your procedures and personnel ensure that this kind of thing doesn't happen, you are to be congratulated.

          Don't forget to mention it more explicitly in future - there are lots of people that haven't covered this approach yet.

          The same caveats also apply elsewhere e.g. in electronics test gear, where some oscillloscopes, logic analysers, and other relatively routine test gear have for many years had PC-like capability (often based on antique flavours of Windows) which the IT people aren't even aware of, and which can in principle legitimately be moved between site IT LAN and the "secure" LAN.

          1. Anonymous Coward
            Anonymous Coward

            Re: Re Ivan 4

            Ah, someone that understands equipment and site security.

            Yes, we are aware the 'programming panel' is usually a windows PC in disguise - we have converted those we are responsible for to Linux, but even then they are never removed from the equipment lan on pain of instant dismissal. any updates are done by unlocking the access cover (two keys again required) to the active USB port and using a thumb drive that has been checked on two stand alone computers (not connected to anything but the mains and that filtered with a 50hz notch filter.

            We do take security very seriously and get paid for it because in the end if anything goes wrong we are responsible.

            1. Anonymous Coward
              Anonymous Coward

              Re: Re Ivan 4

              "and using a thumb drive that has been checked on two stand alone computers "

              And what has checked those PC's?

              It's like the warning light to say a light is out....but what checks the warning light is working?

              1. Anonymous Coward
                Anonymous Coward

                Re: Re Ivan 4

                Hence two computers. We should get the same results from each, if we don't then the warning flags are flown.

                I will say that there are other checks that we don't talk about for obvious security reasons.

              2. Anonymous Coward
                Anonymous Coward

                what checks the warning light is working?

                "It's like the warning light to say a light is out....but what checks the warning light is working?"

                On an ancient (e.g. 1970s) computer or peripheral, there was often a "lamp test" pushbutton for exactly that purpose. Some skill and understanding was required too, on the part of the operator/user/etc.

                On any recent car dashboard etc that I've seen, the warning lights typically all light up (briefly) during the self test at startup. No lamp test button that I've seen. Again some skill and understanding is required.

                That one can be, and has been, done, it isn't real difficult.

                But that's not really what you're asking, is it.

                "Checked on two stand alone computers" actually means "checked today for threats known and circulated yesterday'", doesn't it?

                It's potentially a lot better than many sites manage, but it sounds like there's still a certain amount of 'security theater'/'tick the box' involved.

                E.g. exactly what value is the recently-mentioned "mains ... filtered with a 50hz notch filter." supposed to add, in an era where almost any non-trivial non-TEMPEST mains-powered device just feeds the mains into a switched mode power supply which typically cares little about whether it's 40Hz or 400Hz, 120V or 240V? OK, I exaggerate, but only slightly.

    2. Fatman
      FAIL

      RE: Security demanding....

      <quote>One would think that by now the company security people would be demanding dedicated secure lines to all substations and all marketing wonks and non techies being kept away from the control units.</quote>

      ONLY to be overruled by the cost cutting MBA's (Mainly Brainless Assholes) who are worried about the "hit" to the executive bonus pool.

  5. Herby

    Maybe we should look at...

    Siemens for a cure. It seems that the attacks look at this company for the vector to do "things bad".

    Of course those wearing the tin hats might say that they are part of the conspiracy, and the list goes on...

  6. Will Godfrey Silver badge
    Unhappy

    Puzzling

    Why are Siemens PLCs so ubiquitous?

    They are not only truly horrible, but they're not the cheapest either!

    1. thames

      Re: Puzzling

      Siemens PLCs so ubiquitous for the same reason that Microsoft products are so ubiquitous. They have the distribution networks, training and skills certification partnerships, third party consultant and value added product partnerships, an entrenched install base and vendor lock-in with existing customers, etc., etc.

      Once you've got one Siemens product installed, you have to keep buying more of their stuff because their stuff only works with either their other stuff, or with someone they have a partnership with. Most of the other big vendors work the same way. They've got the "vendor lock-in" dials turned up to 11.

    2. Palpy

      Re: Siemens? This one is a GP malware.

      General-purpose. Virtually everything industrial speaks OPC DA. OPC reads data, and it writes data. It can query for available OPC servers, connect to one, enumerate your control tags, and then start sending commands to your controls. The thing about it is, once the baddie has dropped a client and a dll on the system (there are FOSS versions easily available), then OPC is script-kiddy simple to code.

      Mind you, if you have any malware with root privileges and a backdoor on your automation network, c'est le game over.

      And yes, saying, "Oh just keep everything air-gapped and you'll be fine" is simplistic.

    3. ecofeco Silver badge

      Re: Puzzling

      There are only 5 versions of PLC in the first place and they vary only a little at that.

  7. thames

    Where the real problem lies

    The original article (the link is in the Reg story) waffles about a bit, as the reality is no where near as dramatic as the hype.

    First, "Industroyer" appears to be just another Windows virus, but with a payload that is intended to sending commands to devices on an attached private network rather than sending spam or doing Bitcoin mining. In other words, it's a bog standard IT security problem rather than something super special to industrial control systems. The solution is to apply whatever security measures are considered adequate for whatever revenue critical functions your business may also have running on MS Windows.

    CVE-2015-5374 is completely unrelated. This affects a Siemens Ethernet to industrial network protocol converter. This is a small box that you plug an Ethernet cable (or optic fibre cable) into on one side, and one of the special industrial media/protocol combinations such as Profibus into the other side. It then will accept commands from your WIndows PC via Ethernet, translate them into industrial protocol commands and does the electrical (or optical) conversion to pass them on to the industrial devices. It also does the same in reverse.

    The listed CVE apparently refers to the converter having a software bug which will crash the firmware if it receives a malformed packet. This doesn't surprise me, as most devices in this class are absolutely craptastic regardless of who sells them. A lot seem to be private labelled versions of products from one or two small companies. The only relationship that "Industroyer" has to this CVE is that Industroyer could theoretically send it the sort of malformed data packets that could crash it.

    As noted by another poster, there is by the way zero evidence presented that Industroyer had anything to do with the Kiev blackouts.

    Whether we are talking about Stuxnet, Industroyer, or whatever scary story of the week is being promoted, they all have one thing in common. They are basically just MS Windows viruses with specialised payloads. For whatever reason, good or bad, the big industrial equipment vendors have decided to host their configuration and monitoring software on MS Windows PCs. This is the software used to monitor what is going on in the equipment, tell the equipment what product to make or how much electricity to produce, log data to databases for analysis, and program the equipment via proprietary IDEs.

    That software has to be able to communicate with the equipment in order to do its job, and visa versa. If a virus payload manages to take over one of those PCs, it can them masquerade as a legitimate user, and send out commands using that user's authorisation to do whatever those industrial devices are normally intended to do. That can include shutting down an electrical power plant, which is something that happens routinely for legitimate reasons anyway. Altering the industrial protocols or devices will do nothing to mitigate that.

    Where the main, real vulnerability lies at this point in time is in the multitude of Windows PCs which are an inseparable part of many modern industrial systems at this time. Security efforts need to be focused there. The reason why these types of articles waffle around that point is that admitting this isn't going to generate higher consultancy fees for security consultants who have added the word "industrial" to their business cards.

    1. Destroy All Monsters Silver badge

      Re: Where the real problem lies

      But I want my weekly Ukraine-victimizing / probably Putler financed hacker story!

    2. GSTZ

      Re: Where the real problem lies

      Old mantra - it is very hard and expensive to build secure systems based on unsecure platforms.

      However the bean counters demand cheap platforms, and neither know nor care what this means for IT security. When being told, they ask their techies to just retrofit security onto the unsecure inplementation as an add-on which doesn't work very well. But they will always find some consultants/salesmen who claim to have some snake-oil product or service ...

      The big problem is the more and more growing investment in Windows-based software. Who dares to ask management to make this investment obsolete - and to spend quite a lot of time and money to build something new, with IT security in mind from day one ?

  8. Anonymous Coward
    Anonymous Coward

    Someone shut off the power... on purpose... for something else.

    Either some VERY bored group of hackers brushed up on the industrial control systems... to turn off the power for shits and giggles. Or more likely something more important was hit when the power went out.

    1. Anonymous Coward
      Anonymous Coward

      Re: Someone shut off the power... on purpose... for something else.

      Either some VERY bored group of hackers brushed up on the industrial control systems... to turn off the power for shits and giggles. Or more likely something more important was hit when the power went out.

      Or even more likely, a small but important bit of electrical infastructure installed in 1970s and inadequately maintained for the past 20 years (if ever) has finally failed. The poorly trained and underpaid operators and maintenance crew were not able to deal with the issue timely, causing the problem to cascade city-wide. Once 'Uncle Vanya', the only maintenance engineer with the working knowledge of the system remaining on staff, was induced to interrupt his evening communion with vodka, bacon, and salted cucumbers, the power was restored within minutes. When a later investigation found a virus on an isolated PC used by the night shift to play solitaire, it was generally agreed that a cyber-intrusion was a far more likely explanation than general incompetence and underfunding.

      Or something like this, anyways.

      1. Anonymous Coward
        Anonymous Coward

        Re: Someone shut off the power... on purpose... for something else.

        "a small but important bit of electrical infastructure installed in 1970s and inadequately maintained for the past 20 years (if ever) has finally failed."

        So a bit like the British Airways datacenter disaster but with better PR, basically?

  9. Anonymous Coward
    Big Brother

    Stolen misdirected attribution malware

    "The CIA's Remote Devices Branch's UMBRAGE group collects and maintains a substantial library of attack techniques 'stolen' from malware produced in other states including the Russian Federation.

    With UMBRAGE and related projects the CIA cannot only increase its total number of attack types but also misdirect attribution by leaving behind the "fingerprints" of the groups that the attack techniques were stolen from." link

  10. T. F. M. Reader

    Writing comprehension or clickbait?

    "Move over, Stuxnet" implies that this Industroyer is more awesome. However, "the most sophisticated [malware - TFMR] to hit industrial control systems since Stuxnet" actually means that Stuxnet is still the king. Please decide?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like