ENCS comments on ‘Crash Override’ virus


Raising concern globally is news that the Crash Override virus has been found and that the Ukraine power outage of 2016 may well have been a test run for a larger attack. Read more

The malware, which is reportedly able to target industrial control systems, with a specific focus on electricity grid operators, have prompted commentary from the European Network for Cyber Security (ENCS).  According to ENCS, the malware framework, also known as INDUSTROYER “does not infect embedded industrial equipment. It targets Windows systems in the SCADA control center and in the substations, that have access to mission critical devices, such as RTUs and protection relays that control switches and circuit breakers.”

“The basic techniques employed by CRASHOVERRIDE are not new in tradecraft, it is a modular backdoor that connects back to a Command and Control (C&C) server to wait for further instructions. This C&C server is an attacker controlled machine on the internet that is used to manage the infected hosts.”

[quote]ENCS warns, however, that Crash Override has the ability to load communication modules to communicate over ICS protocols, specifically:

  • IEC 60870-5-101
  • IEC 60870-5-104
  • IEC 61850
  • OPC DA

Malware potential to wreak havoc

A blog post by ENCS explains that: “These capabilities are leveraged by the malware to actively scan or passively discover the network for potential control devices (RTUs), then enumerate them looking for registers that control switches and circuit breakers. It can open such breakers and set the RTU in an infinite command loop which prevents operators from remotely shutting them. No vulnerability is exploited on the target device, rather the inherently insecure nature of these industrial protocols are abused.”

It was further stressed that the malware can only be used once installed on a Windows host within a control centre or substation, and does not actively penetrate these systems itself. The system must be compromised via either a phishing campaign, “followed by a lateral movement towards the SCADA system.”

ENCS recommended utilizing recommended best practices in segregating the SCADA network from other IT networks.

Detection rules and indicators of compromise have been provided by US-CERT, Dragos and ESET.

“Although the immediate threat of CRASHOVERRIDE is not prominent, the fact that certain groups are actively developing and testing cyber capabilities to interfere with the operation of the electricity grid should not be treated easily. It signals an alarming shift in the threat landscape of such systems,” ENCS warned.