Hundreds of Moxa Devices Similar to Ones Targeted in Ukraine Power Grid Hack Vulnerable to Remote Attacks
Firmware updates released by Moxa for some of its NPort serial device servers patch several high severity vulnerabilities that can be exploited remotely. These types of devices were targeted in the 2015 attack on Ukraine’s energy sector.
According to an advisory published by ICS-CERT, the flaws affect NPort 5110 versions 2.2, 2.4, 2.6 and 2.7, NPort 5130 version 3.7 and prior, and NPort 5150 version 3.7 and prior. The security holes have been patched with the release of version 2.9 for NPort 5110 and version 3.8 for NPort 5130 and 5150.
ICS-CERT said one of the vulnerabilities, CVE-2017-16719, allows an attacker to inject packets and disrupt the availability of the device. Another flaw, CVE-2017-16715, is related to the handling of Ethernet frame padding and it could lead to information disclosure, while the last issue, CVE-2017-14028, can be leveraged to cause memory exhaustion by sending a large amount of TCP SYN packets.
Adamsky pointed out that in the 2015 attack on Ukraine’s power grid, which caused significant blackouts, the hackers targeted these types of devices in an effort to make them inoperable. A detailed research paper describing the vulnerabilities will be published at some point in the future.

Researchers have discovered the malware capability used in the Dec. 17, 2016, cyber-attack on a Ukraine transmission substation that resulted power outages in Kiev. ESET, a Slovakian anti-virus software maker, and Dragos Inc, a U.S. critical-infrastructure security firm, released an industry report to inform the electric sector and security community of the potential implications of the malware.

The two firms said they did not know who was behind the cyber attack. Ukraine has blamed Russia, though officials in Moscow have repeatedly denied blame, according to a Reuters report. Still, the firms warned that there could be more attacks using the same approach, either by the group that built the malware or copycats who modify the malicious software.

“There are concerning scenarios in how this malware can be leveraged to disrupt grid operations that would result in hours of outages at targeted locations leading into a few days if done at multiple sites,” said Robert M. Lee in a Dragos blog.

CRASHOVERRIDE
https://dragos.com/blog/crashoverride/

Today the Dragos, Inc. team is releasing a report titled CRASHOVERRIDE: Analyzing the Malware that Attacks Power Grids. CRASHOVERRIDE is a malware framework that has not been disclosed before today but is the capability used in the cyber-attack on the Ukraine electric grid in 2016 (not the 2015 attack). Dragos can also confirm that we are tracking the adversary group behind the attack as ELECTRUM and can assess with high confidence the group has direct ties to the Sandworm Team which targeted infrastructure companies in the United States and Europe in 2014 and Ukraine electric utilities in 2015.

The purpose of this blog is to introduce some high-level items for everyone to be aware of (especially those that do not have time to read the full report).

The electric grid is extremely reliable. CRASHOVERRIDE represents alarming tradecraft and the ability to disrupt operations, but the public must understand that the outages could be in hours or days not in weeks or months. The electric grid operators train regularly to restore power for similar sized events such as weather storms. The first thank you that needs publicly stated is to those men and women responsible for having put the electric grid into a defensible situation through their dedication to reliability and safety of electric power.
The Slovakian anti-virus firm ESET informed Dragos on June 8th, 2017 that they would be releasing their report on June 12th on a piece of malware they identify as “Industroyer.” The request was to validate findings to reporters they were speaking to because Dragos has subject matter experts focused on ICS security.

Dragos was able to confirm much of ESET’s analysis and leveraged the digital hashes to find other undisclosed samples and connections to a group we are tracking internally as ELECTRUM. Because of the new functionality, connections to the threat group, numerous references to crash.dll in the malware, and our analysis that this is not industry-wide focused but specific to electric grid operations led the team named this malware CRASHOVERRIDE.
The CRASHOVERRIDE malware is a framework that has modules specific to ICS protocol stacks including IEC 101, IEC 104, IEC 61850, and OPC. It is designed to allow the inclusion of additional payloads such as DNP3 but at this time no such payloads have been confirmed. The malware also contains additional non-ICS specific modules such as a wiper to delete files and processes off of the running system for a destructive attack to operations technology gear (not physical destruction of grid equipment).

The modules in CRASHOVERRIDE are leveraged to open circuit breakers on RTUs and force them into an infinite loop keeping the circuit breakers open even if grid operators attempt to shut them. This is what causes the impact of de-energizing the substations. Grid operators could go back to manual operations to alleviate this issue.

The CRASHOVERRIDE malware appears to have not used all of its functionality and modules, and it appears the Kiev transmission substation targeted in 2016 may have been more of a proof of concept attack than a full demonstration of the capability in CRASHOVERRIDE.

CRASHOVERRIDE’s wiper searches for specific ABB files to delete off of a system, however, there are no vulnerabilities in ABB that this malware takes advantage of

ESET’s report cites a Siemens SIPROTEC denial of service based on a publicly disclosed 2015 vulnerability. However, we cannot confirm the existence of this module.

There are concerning scenarios in how this malware can be leveraged to disrupt grid operations that would result in hours of outages at targeted locations leading into a few days if done at multiple sites. However, it is important to know this is not a catastrophic scenario; there is no evidence the ELECTRUM actors could use CRASHOVERRIDE to do more than a few days of outages, and even to get a few days, would require the targeting of multiple sites simultaneously which is entirely possible but not trivial.

Indicators of compromise for the CRASHOVERRIDE malware can be found in the industry report. Indicators of compromise are available, but the most important thing for security teams to watch for is malicious behaviors and set patterns associated with the ICS communications.

The 2016 attack on Ukraine’s power grid that deprived part of its capital, Kiev, of power for an hour was caused by a cyberattack. ESET researchers have since analyzed samples of malware, detected by ESET as Win32/Industroyer, capable of performing exactly that type of attack.

Whether the same malware was really involved in what cybersecurity experts consider to have been a large-scale test is yet to be confirmed. Regardless, the malware is capable of doing significant harm to electric power systems and could also be refitted to target other types of critical infrastructure.

Figure 1: Scheme of Industroyer operation

Industroyer is a particularly dangerous threat, since it is capable of controlling electricity substation switches and circuit breakers directly. To do so, it uses industrial communication protocols used worldwide in power supply infrastructure, transportation control systems, and other critical infrastructure systems (such as water and gas).

The recent power outage occurred on December 17th, 2016, almost exactly one year after the well-documented cyberattack that caused a blackout that affected around 250,000 households in several regions in Ukraine on December 23rd, 2015.

In 2015, the perpetrators infiltrated the electricity distribution networks with the BlackEnergy malware, along with KillDisk and other malicious components, and then abused legitimate remote access software to control operators’ workstations and to cut off power. Aside from targeting the Ukrainian power grid, there are no apparent similarities in code between BlackEnergy and Industroyer.

What sets Industroyer apart from other malware targeting infrastructure is its use of four payload components, which are designed to gain direct control of switches and circuit breakers at an electricity distribution substation.

Each of these components targets particular communication protocols specified in the following standards: IEC 60870-5-101, IEC 60870-5-104, IEC 61850, and OLE for Process Control Data Access (OPC DA).

Generally, the payloads work in stages whose goals are mapping the network, and then figuring out and issuing commands that will work with the specific industrial control devices. Industroyer’s payloads show the authors’ deep knowledge and understanding of industrial control systems.

At midnight, a week before last Christmas, hackers struck an electric transmission station north of the city of Kiev, blacking out a portion of the Ukrainian capital equivalent to a fifth of its total power capacity. The outage lasted about an hour—hardly a catastrophe. But now cybersecurity researchers have found disturbing evidence that the blackout may have only been a dry run. The hackers appear to have been testing the most evolved specimen of grid-sabotaging malware ever observed in the wild.

Cybersecurity firms ESET and Dragos Inc. plan today to release detailed analyses of a piece of malware used to attack the Ukrainian electric utility Ukrenergo

CRASHOVERRIDE
https://dragos.com/blog/crashoverride/

Today the Dragos, Inc. team is releasing a report titled CRASHOVERRIDE: Analyzing the Malware that Attacks Power Grids. CRASHOVERRIDE is a malware framework that has not been disclosed before today but is the capability used in the cyber-attack on the Ukraine electric grid in 2016 (not the 2015 attack). Dragos can also confirm that we are tracking the adversary group behind the attack as ELECTRUM and can assess with high confidence the group has direct ties to the Sandworm Team which targeted infrastructure companies in the United States and Europe in 2014 and Ukraine electric utilities in 2015.

The best work of hackers tends to remain invisible. But when sophisticated intruders broke into the computer networks of regional energy firms in Ukraine in 2015 and cut power to roughly a quarter million people, their tampering didn’t go unnoticed. In this rare instance, the staff of one of those electric utilities managed to capture the hackers’ handiwork on video, which you can watch

Two days before Christmas in 2015, engineers at the Prykkarpatyaoblenergo regional energy company in Western Ukraine found themselves locked out of their PCs. More troubling still, their mouse cursors moved of their own accord. The workers watched as hackers methodically clicked on circuit breakers in their grid operation software, each time opening the breakers and cutting power to another swath of the region.

In the process of reporting our cover story on those blackouts— and the larger cyberwar affecting Ukraine—WIRED obtained a video that one of those engineers shot with his iPhone, recording a “phantom mouse” attack as it happened.

In WIRED’s investigation of that breach and another blackout that occurred in Ukraine a year later, we’ve tracked the evolution of those hackers: How they’ve graduated to using a digital weapon known as CrashOverride that can trigger Stuxnet-style automated attacks on infrastructure

How An Entire Nation Became Russia’s Test Lab for Cyberwar
https://www.wired.com/story/russian-hackers-attack-ukraine

Noting the precise time and the date, almost exactly a year since the December 2015 grid attack, Yasinsky felt sure that this was no normal blackout. He thought of the cold outside—close to zero degrees Fahrenheit—the slowly sinking temperatures in thousands of homes, and the countdown until dead water pumps led to frozen pipes.

That’s when another paranoid thought began to work its way through his mind: For the past 14 months, Yasinsky had found himself at the center of an enveloping crisis. A growing roster of Ukrainian companies and government agencies had come to him to analyze a plague of cyberattacks that were hitting them in rapid, remorseless succession. A single group of hackers seemed to be behind all of it. Now he couldn’t suppress the sense that those same phantoms, whose fingerprints he had traced for more than a year, had reached back, out through the internet’s ether, into his home.

The Cyber-Cassandras said this would happen. For decades they warned that hackers would soon make the leap beyond purely digital mayhem and start to cause real, physical damage to the world. In 2009, when the NSA’s Stuxnet malware silently accelerated a few hundred Iranian nuclear centrifuges until they destroyed themselves, it seemed to offer a preview of this new era. “This has a whiff of August 1945,” Michael Hayden, former director of the NSA and the CIA, said in a speech. “Somebody just used a new weapon, and this weapon will not be put back in the box.”

Now, in Ukraine, the quintessential cyberwar scenario has come to life. Twice. On separate occasions, invisible saboteurs have turned off the electricity to hundreds of thousands of people. Each blackout lasted a matter of hours, only as long as it took for scrambling engineers to manually switch the power on again. But as proofs of concept, the attacks set a new precedent: In Russia’s shadow, the decades-old nightmare of hackers stopping the gears of modern society has become a reality.

And the blackouts weren’t just isolated attacks. They were part of a digital blitzkrieg that has pummeled Ukraine for the past three years—a sustained cyber­assault unlike any the world has ever seen.

Researchers have conducted a detailed analysis of a piece of malware that appears to have been specially designed for cyberattacks targeting power grids. The malware is believed to have been used in the December 2016 attack aimed at an electrical substation in Ukraine.

The malware was discovered by ESET, which has dubbed it Industroyer. The company has also shared some data with ICS cybersecurity company Dragos, which tracks it as CRASHOVERRIDE and the threat actor that uses it as ELECTRUM.

Links to Ukraine power grid attacks

Malware designed to specifically target industrial control systems (ICS) is rare – Industroyer is only the fourth such threat known to the cybersecurity community. The other ICS-tailored malware families are Stuxnet, used in the 2010 attack targeting Iranian nuclear facilities, BlackEnergy, used in the December 2015 Ukraine power grid attacks, and Havex, used mainly against organizations in Europe.

While they could not confirm that Industroyer/CRASHOVERRIDE was the direct cause of the 2016 power outages in Ukraine’s Kiev region, which are believed by many to be the work of Russia, both ESET and Dragos – based on compilation dates and other data – are fairly confident that this is the malware used in the attack.

Dragos believes the ELECTRUM actor has direct ties to the BlackEnergy (Sandworm) group, and ESET pointed out that while there are no code similarities between the malware used in the 2015 and 2016 Ukraine attacks, some components are similar in concept.

Industroyer has been described as a sophisticated modular malware that has several components: a backdoor, a launcher, a data wiper, various tools, and at least four payloads. These payloads are the most interesting component as they allow the malware’s operators to control electric circuit breakers.

As the conflict in Eastern Ukraine escalates, two separate reports point to Russian hackers disrupting the power grid and weapons in the war-torn country. Outside of Kiev, between 100,000 and 200,000 people were plunged into darkness when portions of the Ukrenergo power company were knocked offline on December 18. The electricity was quickly restored but the situation is raised concerns of infrastructure hacking.

The director of the power company, Vsevolod Kovalchuk, told Defense One that he is 99 percent sure a deliberate attack caused the outage. The event is similar to another blackout last year that was reportedly pulled off by Russian hackers, Sandworm. So far there’s no direct connection between the hackers and the Russian military.

Meanwhile it looks like an app built to help quickly target the D-30 howitzers used by the Ukrainian military was hijacked with malware that could have potentially shared the location of those large guns with Russia.

CROWDSTRIKE GLOBAL INTELLIGENCE TEAM
Copyright 2016
USE OF FANCY BEAR ANDROID MALWARE IN TRACKING OF UKRAINIAN FIELD ARTILLERY UNITS
https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf