As if the threat posed by malware was not terrifying enough, researchers from the network security firm ESET said today that a Russian hacker group may have developed a way to take down the power grids of entire countries.
The researchers described the malware, dubbed “Industroyer,” as the most dangerous hacking weapon since Stuxnet. First identified in 2010, Stuxnet is a malicious computer worm that targets industrial computer systems and was responsible for causing substantial damage to Iran's nuclear program.
In fact, the ESET researchers said the malware was responsible for a 2016 blackout that affected Ukraine’s capital city of Kiev for an hour. The researchers also said the malware could be reconfigured to attack other key infrastructure components as well.
'A Particularly Dangerous Threat'
"Industroyer is a particularly dangerous threat, since it is capable of controlling electricity substation switches and circuit breakers directly. To do so, it uses industrial communication protocols used worldwide in power supply infrastructure, transportation control systems, and other critical infrastructure systems (such as water and gas)," the company wrote in a blog post today.
Because Industroyer affects switches directly, the malware can inflict varying degrees of damage on a target country's infrastructure, from simply triggering a temporary blackout, to causing cascading failures or serious damage to equipment.
The malware is able to attack infrastructure equipment so effectively because it uses the common industry protocols that were first designed decades ago, long before most systems were connected to the Internet. As a result, security had not been a major priority at the time they were implemented. In many cases, the hackers only need to learn how to program the malware to communicate with the protocols because there aren't any security systems that they need to circumvent.
The Worst Is Yet To Come
The ESET researchers characterized Industroyer as modular malware that consists of a core backdoor that the attackers then use to deploy other components of the malware and connect the target system to the malware's command and control servers. What makes Industroyer unique from other malware tools are four of these payload components that are specifically designed to target electrical circuit breakers and switches contained in power grid substations.
Industroyer is also designed to be sneaky, eliminating all traces of its existence after it has completed its mission thanks to a wiper module that can erase registry keys to make detection and recovery even more difficult for investigators following an attack.
The malware is also persistent. A secondary backdoor can be deployed via a module that spoofs the Notepad application to regain access to a target system in the event that the original backdoor is discovered and shut down.
As bad as last December's Ukraine attack was, it may represent only a small taste of what's to come. ESET researchers suspect that hackers used that attack as a proof-of-concept in advance of more serious attacks planned for the future.