Inside the Modular IndustroyerThe modular malware, detected by Slovakian security company ESET as "Win32/Industroyer," disrupts the processes of industrial control systems (ICS). It works by installing a main backdoor component that controls other components. These modules include four payload elements that gain direct control of switches and circuit breakers at a substation by targeting communication protocols defined in four International Electrotechnical Commission (IEC) standards. ESET elaborates on this point further:
"Industroyer's dangerousness lies in the fact that it uses protocols in the way they were designed to be used. The problem is that these protocols were designed decades ago, and back then industrial systems were meant to be isolated from the outside world. Thus, their communication protocols were not designed with security in mind. That means that the attackers didn’t need to be looking for protocol vulnerabilities; all they needed was to teach the malware 'to speak' those protocols."The protocols abused by Industroyer's four modules are as follows: IEC 60870-5-101, IEC 60870-5-104, IEC 61850 and OLE for Process Control Data Access (OPC DA).
- 101 Payload Component: A DLL that abuses IEC 101, an international standard used for monitoring and controlling electric power systems and Remote Terminal Units (RTU). It uses a configuration file to attempt to end legitimate communication and initiate malicious contact with a device over serial connection using RTU. It then switches the state of Information Object Addresses (IOAs) from Off to On to Off again.
- 104 Payload Component: A file named for IEC 104, which extends IEC 101 so that the protocol can transmit over TCP/IP. It terminates the process responsible for legitimate IEC 104 communication, reads a configuration file, and uses it to find IP addresses through which it can interact with IOAs with a single command. After confirming the IOAs that belong to a single command type, the component places those into an infinite loop that flips their states between On and Off at every loop step.
- 61850 Payload Component: A standalone malicious tool named after IEC 61850, a standard for a protocol which enables multi-vendor communication between devices that monitor and protect electrical substation automation systems. It retrieves a list of devices capable of communication via IEC 61850 from the launcher component, at which point it begins targeting them with MMS getNameList requests. The payload then enumerates objects, uses more MMS requests to enumerate variables, and looks in the responses for "CSW," a string which represents the logical nodes used to control circuit breakers and switches.
- OPC DA Payload Component: A tool that opens a client for OLE for Process Control (OPC) Data Access, which allows for real-time data exchange between distributed components. The component enumerates all OPC servers on execution and then enumerates all OPC items. It attempts to change the state of any OPC item it finds.
"The next step is actual deletion of file contents. The component enumerates files with specific file extensions on all drives connected to computer, from C:\ to Z:\. It should be noted that during enumeration the component skips files that are located in subdirectory that contains Windows in its name. "The component rewrites file content with meaningless data obtained from newly allocated memory. In order to perform this operation thoroughly the component attempts to rewrite files twice. The first attempt happens once the file is found on a drive. If the first attempt is unsuccessful then the wiper malware makes a second attempt, but before that the malware terminates all processes except those included in a list of critical system processes."
A 'Sophisticated Piece of Malware'ESET's researchers have not confirmed at this time whether Industroyer was responsible for Ukraine's power outage in December 2016. But given its modular design, which includes extra elements like a custom-made port scanner tool and a denial-of-service (DoS) utility, the malware is a likely candidate. The threat research team at ESET agrees:
"We can definitely say that the Win32/Industroyer malware family is an advanced and sophisticated piece of malware that is used against industrial control systems. However, it should be noted that the malware itself is just a tool in the hands of an even more advanced and very capable malicious actor. Using logs produced by the toolset and highly configurable payloads, the attackers could adapt the malware to any comparable environment."To protect against sophisticated threats like Industroyer, organizations need to invest in a solution that monitors their ICS endpoints for anomalous behavior. At the same time, industry and government actors need to discuss how to better secure ICS communication protocols such as those defined in the standards abused by Industroyer. It's an important conversation given the digital security risks confronting electric power systems and other critical infrastructure today. For more thoughts concerning ICS security, please download this resource here.