Blog
07.05.2017

VAnalysis: Industroyer/CrashOverride Malware Attack

In early June, security researchers at ESET and Dragos released a detailed analysis of the malware now known as Industroyer or Crash Override. Their analysis revealed that the malware targeted the Siemens Spirotec Digital Relay which, when working normally, gauges the charge in electric grid components and opens circuit breakers if the charge reaches dangerously high levels. Even though Siemens had released a firmware update for this relay in June 2015, many industrial control systems did not apply the patch, perhaps to avoid business disruption, leaving their systems vulnerable.

Industroyer targets these vulnerable Siemens relays with several malicious payloads. In one scenario, the relay could be placed in an offline mode which would result in a power outage. In another scenario, the relay could be continuously turned on causing the power generation and distribution equipment to overheat and suffer permanent damage. Once the attack is complete, other processes in Industroyer erase their footprints by (a) maliciously overwriting the contents of a very large number of critical files on the disk of the infected machine and (b) changing the “ImagePath” settings in the registry of every Windows Service thereby rendering the system completely unbootable.

An early version of this malware was test run in December 2016 to shut down the power grid in Ukrenergo, Ukraine. It is not definitively known how the malware made it into an ostensibly air-gapped power grid, but it is suspected that the initial attack vector could be a malicious insider or an employee targeted with a phishing attack or a drive-by-download.

The most alarming aspects of this malware are that the authors are well versed in the design of industrial control systems and have built up a cyber-attack framework with on-demand swappable components, enabling them to customize the attack for different countries and installations. This is truly a watershed moment for the cyber security of industrial controls worldwide.

Industry Recommended Defense against Industroyer Malware Intrusion

Industrial Control System Operators can protect themselves by using the following methods:

-- Backups: Perform daily backups of important data including project logic, configuration files and application installers

-- Patching: Deploy patches in a timely manner

-- Best Practices: Develop detailed incident response plans

However, researchers have noted that conventional, passive defense mechanisms are not adequate to confront these next-generation attacks.

Highlights of Industroyer Malware Analysis:

Malware analysis performed by ESET and Dragos is illustrated in the following block diagram:

Main Backdoor: Connects to the Command Control Center (C&C) controlled by the bad actor using the HTTPS protocol. The Main Backdoor can execute processes and shell commands, connect to the C&C Server, start or stop a Windows Service, replace registry keys, etc. When the attacker obtains admin credentials, this backdoor can be converted into a Windows Service.

Additional Backdoor: This is an additional persistence mechanism in case the main backdoor gets disabled for any reason. This backdoor is a Trojan version of the common Windows application called Notepad. Malicious code executes when Notepad is executed by the user. This code connects to a different C&C Server and executes shell code. When the bad actor is able to ferret out the admin credentials, they replace the Trojan version with the real version of Notepad.

 

Industroyer Malware analysis performed by ESET and Dragos

 

Launcher: This is used for launching the Data Wiper and the various payloads. The C&C can start the Launcher at a designated, and automatically attack a target Industrial Control System, completely hands free. The Launcher first launches    the various payloads shown in red below and hours later the second thread launches the Data Wiper in order to erase footprints. The real malicious activity is executed by the various payloads detailed below.

101 Payload: Implements the protocol described in IEC Spec 60870-5-101 that describes how to monitor and control electric power systems. On execution of this payload, the 101 Payload DLL reads a configuration file to enumerate all the Remote Terminal Units (RTUs) connected to it. The main objective of this payload is to change the on/off state of the underlying RTU.

104 Payload: Is a variant of the above 101 Payload that runs over the TCP/IP Network and can discover RTUs in the network. The malware kills the original process that performs the normal 104 Payload monitoring process and replaces it with a rogue process. In stage 1, the rogue process connects to the target RTUs and iterates through their states. In stage 2, the rogue process continuously flips the on/ off state of the target RTUs and logs success so that the operators do not receive an alert.

61850 Payload:  This protocol is responsible for multi-vendor communication between devices that protect, automate, meter, monitor and control existing automation systems in an electrical grid. It enumerates the various subnet masks and connects on port 102 of each address in each subnet in order to send a Connection Request. If the target responds, the malware enumerates all endpoints and the various communication objects in each endpoint with the objective of finding specific Siemens circuit breakers and switches. The payload enumerates the data and creates a log with rich meta-data about each target for export to the C&C.

OPC DA Payload: OPC Data Access uses Microsoft’s OLE, COM and COM protocol to exchange real-time data between distributed components based on a client-server model. This payload queries the various OPC Servers it discovers and is looking for MicroSCADA Servers from ABB. This data is written into a log for export to the C&C.

Data Wiper: This is executed in the final stages of the attack to mask the footprints of the malware. It goes into the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and changes the ImagePath setting of each sub key with an empty string. This interferes with Windows services and makes the system unbootable on the next reboot. Additionally, the data wiper writes garbage into all files with a specified extension (especially those files that are required by the Substation Configuration Definition) present on all volumes from C:\ to Z:\ drive, - twice to make sure it does a thorough job. Lastly, it terminates all processes (except its own) running on the infected machine. This makes the machine totally unresponsive.

Additional Tools: These include a port scanner and a Denial-Of-Service (DOS) tool specially targeted at rendering Siemens Spirotec devices unresponsive by exploiting a firmware vulnerability Siemens fixed in June 2015.

How Can Virsec Platform Defend against Industroyer?

The following mechanism would have stopped Industroyer from working in a Virsec Platform protected environment:

--Virsec Platform File System Monitoring (FSM) registers all processes, and prevents maliciously inserted ones from running at start-up. In this case, all known ICS processes would have been registered and Virsec Platform would prevent all the rogue processes shown in the block diagram from starting up.

--As the backdoor connects with the C&C Server and receives its control instructions via HTTP/ HTTPS, these would get logged by the Virsec Platform Web Protection Engine and aborted by the Virsec Platform Security Policy Engine since the TOR network would not be in the list of allowed hosts, (given that the OT Network of the SCADA system in the substation is an air gapped system).

--The additional backdoor runs a rogue version of Notepad repeatedly until privileged credentials are harvested. Any attempt to alter Notepad and then start the malicious version would be intercepted by Virsec Platform FSM and would be aborted immediately.

--The injection of the malicious 101 and 104 Payload DLL into the Launcher process would be intercepted by the Virsec Platform Memory Monitor and aborted.

--The attempt to kill the original 104 Payload monitoring process, D2MultiCommService.exe, would be detected and aborted by Virsec Platform Process Monitor.

--The attempt to start the 61850.exe process and the loading of the 61850.DLL would be terminated by the Virsec Platform FIM solution.

--The attempt by the Data Wiper to change the ImagePath in the registry would be intercepted by Virsec Platform FSM.

--The attempt by the Data Wiper to wipe files with specific extensions would be stopped by Virsec Platform FSM.

Conclusion

By combining a multi-stage APT attack with deep domain knowledge of the control systems, the Industroyer malware has unleashed a major escalation in cyber-attacks on Industrial Control Systems. Virsec Platform, with its deep memory monitoring and real-time protection, is able to protect even those industrial control systems that cannot afford to patch on a regular schedule.