{"id":8317,"date":"2022-06-13T12:00:00","date_gmt":"2022-06-13T09:00:00","guid":{"rendered":"https:\/\/blog.eset.ee\/et\/2022\/06\/13\/industroyer-a-cyber-weapon-that-brought-down-a-power-grid\/"},"modified":"2022-06-13T12:00:00","modified_gmt":"2022-06-13T09:00:00","slug":"industroyer-a-cyber-weapon-that-brought-down-a-power-grid","status":"publish","type":"post","link":"https:\/\/blog.eset.ee\/et\/en\/2022\/06\/13\/industroyer-a-cyber-weapon-that-brought-down-a-power-grid\/","title":{"rendered":"Industroyer: A cyber-weapon that brought down a power grid"},"content":{"rendered":"

On June 12th<\/sup> 2017, ESET researchers published their findings<\/a> about unique malware that was capable of causing a widespread blackout. Industroyer, as they named it, was the first known piece of malware that was developed specifically to target a power grid.<\/p>\n

Indeed, Industroyer had been deployed to considerable effect a few months earlier \u2013 it caused thousands of homes in parts of Kyiv, Ukraine to lose power supplies for about an hour on December 17th<\/sup>, 2016, after the malware struck a local electrical substation. A few days later, ESET malware researcher Anton Cherepanov<\/a> would start dissecting Industroyer.<\/p>\n

A ticking bomb<\/h2>\n

Once planted, Industroyer spread throughout the substation\u2019s network looking for specific industrial control devices whose communication protocols it could speak. Then, like a time bomb going off, it apparently opened every circuit breaker at once, while defying any attempts of the substation operators to regain easy control: if an operator tried to close a breaker, the malware opened it back up.<\/p>\n

To clean up its footprint, the malware unleashed a data wiper that was designed to leave the substation\u2019s computers inoperable and delayed the return to normal operations. Indeed, the wiper often failed, but had it been more successful, the consequences could have been much worse \u2013 especially in wintertime when a power outage can allow pipes filled with water to crack when they freeze.<\/p>\n

A final malicious act was made by the malware to disable some of the protective relays at the substation, but that failed too. Without functioning protective relays in place, the substation equipment could have been at high risk of damage when the operators eventually reestablished electric transmission.<\/p>\n

\"\"<\/a><\/p>\n

As Cherepanov and fellow ESET researcher Robert Lipovsky<\/a>
\nsaid at the time<\/a>, the sophistication of Industroyer makes it possible to adapt the malware to any similar environment. In fact, the industrial communication protocols that Industroyer speaks are used not only in Kyiv, but also \u201cworldwide in power supply infrastructure, transportation control systems, and other critical infrastructure systems (such as water and gas)\u201d.<\/p>\n

On the other hand, considering how sophisticated Industroyer was, its impact was ultimately rather underwhelming, as ESET researchers noted themselves<\/a> back in 2017. Perhaps it was only a test for future attacks, or perhaps it was a sign of what the group behind it could do.<\/p>\n

The work of Sandworm<\/h2>\n

The shenanigans of the malware, ESET researchers noted, mirror the malicious intentions of the people who created it. At a Virus Bulletin conference in 2017<\/a>, Lipovsky highlighted that the \u201cattackers had to understand the architecture of a power grid, what commands to send, and how that will be achieved\u201d. Its creators went a long way to create this malware, and their objective was not just a power outage. \u201cSome clues in the Industroyer configuration suggest they wanted to cause equipment damage and malfunction\u201d.<\/p>\n

At Black Hat 2017<\/a>, Cherepanov also pointed out that it \u201cseems very unlikely anyone could write and test such malware without access to the specialized equipment used in the specific, targeted industrial environment\u201d.<\/p>\n

In October 2020, the United States attributed the attack<\/a> to six officers belonging to Unit 74455, aka Sandworm<\/a>, a unit within Russia\u2019s military intelligence agency GRU.<\/p>\n

A comeback for Industroyer<\/h2>\n

Fast forward to 2022 and it\u2019s no surprise that in the weeks just before and after Russia\u2019s invasion<\/a> on February 24th<\/sup>, ESET telemetry showed<\/a> an increase in cyberattacks targeting Ukraine.<\/p>\n

On April 12th<\/sup>, together with CERT-UA, ESET researchers announced they had identified a new variant of Industroyer that targeted an energy supplier in Ukraine. Industroyer2<\/a> had been scheduled to cut power for a region in Ukraine on April 8th<\/sup>; fortunately, the attack was thwarted before it could wreak further havoc on the war-torn country. ESET researchers assessed with high confidence that Sandworm was again responsible for this new attack.<\/p>\n

A harbinger of things to come<\/h2>\n

In recent years, it\u2019s become more than clear that the world\u2019s critical infrastructure services are at major risk for disruptions. The string of incidents that have impacted critical infrastructure<\/a> in Ukraine (and, indeed, other parts of the world) have awakened much of the public to the risks of cyberattack-induced power outages, water supply interruptions, fuel distribution disruptions, loss of medical data and many other consequences that can do far more than just disrupt our daily routines \u2013 they can be truly life-threatening.<\/p>\n

Back in 2017, both Cherepanov and Lipovsky concluded their research blog<\/a> with a warning that, five years later, still holds true: \u201cRegardless of whether or not the recent attack on the Ukrainian power grid was a test, it should serve as a wake-up call for those responsible for security of critical systems around the world\u201d.<\/p>\n

Read the full analysis on WeLiveSecurity \u2192<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Five years ago, ESET researchers released their analysis of the first ever malware that was designed specifically to attack power grids<\/p>\n","protected":false},"author":5,"featured_media":8318,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2880],"tags":[],"class_list":["post-8317","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-digital-security"],"acf":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8317","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/comments?post=8317"}],"version-history":[{"count":0,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8317\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media\/8318"}],"wp:attachment":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media?parent=8317"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/categories?post=8317"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/tags?post=8317"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}