This virus attacks power plants and waterworks - it is just as dangerous as Stuxnet

Analysts at ESET have identified advanced and highly dangerous malware, Industroyer, that can interrupt or even disable key industrial processes, such as operation of a power plant or interruption of water and gas supplies. According to experts, Industroyer is another virus after Stuxnet, which in the wrong hands can realistically threaten the stability of key industrial systems.

From the analyzed malware samples detected by ESET applications as Win32 / Industroyer, capable of executing attacks on critical infrastructure, the industroyer is a particularly dangerous threat, because it is able to directly control the switches and switches of the electrical substation. To this end, it uses industrial communication protocols that are used around the world in power infrastructure, transport control systems and other critical critical infrastructure systems (water, gas). Switches and circuit breakers are digital analog equivalents of analog switches - technically they can be designed to perform various functions. Thus, the potential effect of the attack may include: interruptions in the distribution of electricity or water and more serious damage to the equipment. Of course, the disruption of such systems can have a direct or indirect impact on the functioning of essential services.

Industroyer's high threat of danger lies in the fact that it uses the protocols in the way for which they were designed. The problem is that these protocols were designed several decades ago, when critical infrastructure systems were basically isolated from the outside world. For this reason, no collateral has been included in these protocols. This in turn meant that the attackers did not have to look for gaps in these protocols - it was enough that the threat knows how to communicate in accordance with these protocols.

Structure and key functions

Industroyer is modular malware. Its basic component is the backdoor, used by the attackers to manage the attack, which additionally installs and controls other components of the virus and connects to the attacking server (so-called C & C) in order to receive commands and reporting. What distinguishes Industroyer among the other hitherto threats that attack the critical infrastructure of industrial installations is the use of four different components that are aimed at obtaining direct control over switches and switches in the electricity distribution station. Each of these components is designed to support another communication protocol described in one of the following standards: IEC 60870-5-101, IEC 60870-5-104, IEC 61850 and OPC DA. The components work in stages that aim to recognize the network and then check whether the issued commands are effective for specific industrial control devices.

Malicious software includes several other features that allow you to it will remain hidden in order to ensure the durability of malicious software or to remove traces of the action. For example, communication with C & C servers, hidden in the Tor network, may be limited to non-working hours. The threat also has an additional backdoor function - it hides as a Notepad application in case of detection or disabling. Another module is the Denial of Service attack tool, which uses the CVE-2015-5374 vulnerability in Siemens SIPROTEC devices (used to protect, control and monitor applications in electrical systems) and may cause the target devices to stop responding.

Win32 / Industroyer is advanced malware and can be extremely dangerous in the hands of a sophisticated and determined attacker. Its ability to nest in the system and disrupt critical industrial processes makes it a very dangerous tool that can cause interruptions in power, water or gas supply. Experts suspect that the recent attack (in 2016) on the Ukrainian power grid was a test of this threat and should serve as a warning for people and institutions responsible for the security of the most important systems around the world.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.