Malware attacks on physical infrastructure have long been a pressing threat in the cybersecurity field, but these two attacks in Ukraine are the first of their kind and have received little attention from the academic community. Ta. This report conducted by Russian intelligence services on Ukraine warns of the evolution of cyber-attacks against society and highlights the need to better understand and protect against this type of malware.
A new paper reports the first study of how Industroyer One and Two, as these malware attacks are called, operate and interact with physical power system equipment. The paper will be presented on May 20 at the IEEE Symposium on Security and Privacy, the Institute of Electrical and Electronics Engineers' flagship conference on cybersecurity, and will be presented by researchers from the University of California, Santa Barbara, including Luis Salazar, Sebastian Castro, and Huang. It was led by a team of students from Cruz School. Lozano and his Keerthi Koneru, as well as Alvaro Cardenas, associate professor of computer science and engineering, provided advice.
“I want to emphasize how vulnerable our systems are, and I don't see why this hasn't had a bigger impact in terms of security awareness and even policy and planning,” Cárdenas said. “When you see a nation-state designing malware that takes down another country’s power grid, it seems like a big deal. Our critical infrastructure is vulnerable to this type of attack, so we need to protect it. We need to be ready.”
Understanding Industry 1 and Industry 2
The malware used in the 2016 attack was named Industroyer One, and the similar but different malware used in 2022 was named Industroyer Two. Five Eyes, an intelligence coalition made up of Australia, Canada, New Zealand, the United Kingdom and the United States, blamed both attacks on Russia's military intelligence agency, the GRU.
Cárdenas said that while the first attack can be seen as an example of non-war intimidation and submission to power, the second attack is a reflection on war in the modern world.
“This is an example of modern warfare in that it combines physical and cyber attacks,” Cárdenas said. “This is not an isolated event; these events in the cyber and physical world reinforce each other to create maximum damage. At the same time, we received notification of yet another attack targeting the Ukrainian power grid.
This malware attack is not only the first and only example of a cyberattack on the power grid, but also among the known malware attacks on physical infrastructure in general.
The first example of a malware attack on physical infrastructure was the Stuxnet attack, discovered in 2010 and deployed several years ago to destroy centrifuges at an Iranian uranium enrichment plant. Previously, malware attacks targeted only classic computing systems such as IT and financial systems.
Industroya's attack caused a regional power outage that lasted several hours. This type of attack requires the operator to resolve the problem locally and reconnect to the main his system, resulting in a system collapse where the error can cascade to the “bulk” system and bring down the entire country's power grid. It's much less devastating.
“These attacks have had the potential to cause localized power outages, but so far have not resulted in system-wide collapses. It will be much more dangerous because the power will be out for several days,” Cárdenas said.
Create a study sandbox
UCSC researchers aren't the only ones studying these two attacks, but Cárdenas' team is working closely with the industry to understand the details of how the malware operates and interacts with the equipment that controls the infrastructure. I found that the white paper did not provide a satisfactory answer. Their report is the first to detail exactly how the malware interacted with the physical world.
Cárdenas was able to obtain a copy of the malware, which allowed researchers to build a sandbox. The sandbox is a software environment that tricks the malware into thinking it is within the industry-specific environment of Ukraine's power grid, allowing researchers to understand exactly how the malware interacts. In the system. They emulated a power grid operator's control room with remote connections to substations and a substation network with local connections to electrical equipment. Their sandbox is freely available to other researchers.
The researchers used sandboxing to find similarities between the attacks, but observed a clear evolution of the malware.
Both Industroyer attacks were fully automated, requiring no human intervention once the attacks were deployed and penetrating areas of the power grid that were designed to be disconnected from the internet to provide greater security. Ta. Both attacks compromised Windows computers in substations or control rooms and manipulated the status of circuit breakers in the power grid.
Industroyer One acted like a Swiss Army knife in that it could attack both older systems operating on serial lines and modern systems operating on modern communication systems. It has been developed without a specific target and can be attacked directly from within a power grid substation or from a control center hundreds of miles away. I was hoping for a configuration file on the system itself to guide the attack. However, these characteristics do not mean that they are free of defects.
“We had the flexibility to attack from anywhere, but we also found that there were a lot of bugs,” Cárdenas said. “There were some bugs in the implementation that didn't follow the protocol. Maybe it was [meant to be] Although it was very targeted, I tested it on several different types of equipment and it worked on some but not others. ”
Industroyer Two, on the other hand, is very specific and has no need to read any configuration files as the target is built into the malware itself. Researchers confirmed that he targeted three IP addresses, possibly working with a specific device to control circuit breakers in a particular substation. A bug that existed in Industroyer One has been eliminated.
“Perhaps because they had time to refine the malware to remove bugs over time, but they also knew what they were getting into,” Cárdenas said.
The researchers observed how the Industoyer attack targeted different numbers of circuit breakers and found that different types of disconnection attacks can have different outcomes on the power grid. They found that, counterintuitively, shutting off all circuit breakers at once does not cause these major problems because the system is balanced by shutting off loads and power generation at the same time. More strategic attacks may aim to create imbalances, which can create even greater problems in the bulk system.
make a future defense plan
Overall, this evolution observed in the Industroyer attack shows that malware attacks are becoming more stealthy. Although both attacks targeted computers located within control centers, researchers believe that future attackers could attempt to take control of “intelligent electronic devices” (IEDs) embedded within the systems themselves. I think there is. There is currently no malware targeting these, but they could become attractive in the future as hackers could send malicious commands and force human operators to report that everything is working fine. may become a target.
Although the Industroyer attack occurred geographically far from the United States, distance does not guarantee safety.
“An attack could happen here or almost anywhere in the world,” Cárdenas said. “Today, the systems are all controlled by computers and have pretty much the same technology.”
With this in mind, researchers are working to configure sandboxes into what they call “honeypots.” A honeypot is a type of decoy software that pretends to be a system operating within a utility's operational network. System operators know not to use this decoy, so if they see activity within the honeypot, they know it's from an external attacker and are alerted to the attack. .
Researchers are designing honeypots to be versatile enough to work not only on power grids, but also in a variety of control systems, such as refineries and water treatment systems.
We also plan to accelerate the integration of AI assistants into our operational networks. This allows you to decipher and respond to attacks in real time as they occur.
Collaborators on this project included Dr. Cárdenas' Ph.D. students Luis Salazar, Sebastian Castro, Juan Lozano, Keelti Connell, Emanuele Zambon from Eindhoven University of Technology, Bin Huang and Ross Bardic from the University of Texas at Austin, Information Marina Krotfil of System Security Partners and Alonso Rojas of Axon Group.
An early version of this research received the highest honor, the Commander's Award, at the U.S. Cyber Command's first Academic Engagement Network event.
