By: Kevin Poulsen, The Daily Beast |
Technicians responded to the Pivnichna substation and took the circuit breakers off computer control, restoring power a little after 1 a.m. It was only the second confirmed case of a computer attack triggering an electrical blackout, and compared to the first, 12 months earlier—also in Ukraine—it was a fizzle, affecting far fewer customers and for a fraction of the time. In the six months since the Kiev attack, security researchers have wondered why the hackers even bothered with such a fleeting disruption and speculated that someone was using Ukraine as a testing ground for a more serious attack.
Now that dark assessment seems to be confirmed. Researchers at two security companies on Monday announced they’ve finally found and analyzed the malware that triggered the Kiev blackout, and it’s far worse than imagined. The computer code, dubbed “CrashOverride” by Maryland-based Dragos, and “Industroyer” by ESET in Slovakia, is a genuine cyber weapon that can map out a power station’s control network and, with minimal human guidance, issue malicious commands directly to critical equipment. Only once before has the world seen malware designed for such sabotage, with the 2010 Stuxnet virus used against Iran’s nuclear program. CrashOverride is the first to target civilians and the first such malware built to target a nation’s power supply.
It’s unclear who created CrashOverrride. Both ESET and Dragos say it was built from scratch, leaving none of the usual fingerprints that allow analysts to link one hacking campaign to another. Ukraine has faced a near-biblical plague of cyberattacks since entering into hostilities with Russia three years ago, and many have led unequivocally to Moscow. But not so with CrashOverride.
The only thing that’s certain, says security researcher Robert Lee, CEO of Dragos, is that the malware wasn’t built as a one-time weapon. It’s designed from the ground up to be easily reconfigured for a variety of targets and contains some payloads that weren’t even fired off in the Kiev attack.