The Russia-linked hackers who triggered a power outage in Ukraine back in 2016 may have hoped to cause much more damage, according to a report published recently by U.S.-based industrial cybersecurity firm Dragos.
The threat group, which Dragos tracks as Electrum, used a piece of malware named Crashoverride and Industroyer to target industrial control systems (ICS) at a power station in Ukraine. The cyberattack resulted in power outages in the Kiev region in mid-December 2016, but power was restored after just over an hour, making the attack less severe compared to the one launched against Ukraine’s grid one year earlier, when power outages lasted for up to 6 hours.
Dragos researcher Joe Slowik has reassessed the 2016 attack involving Crashoverride and he believes that the attackers were actually hoping to cause more widespread outages and trigger a destructive event.
It has been known that the malware included a module designed to allow attackers to control circuit breakers and disrupt power by manipulating remote terminal units (RTUs), and a wiper module whose goal was to make recovery more difficult by deleting configuration and other files. During their initial analysis, researchers also uncovered a tool designed to exploit a known vulnerability in Siemens SIPROTEC protection relays (CVE-2015-5374) to cause the devices to enter a denial-of-service (DoS) condition.
Slowik believes that the goal of this tool was to cause relays to stop providing overcurrent protection once power was restored. This would expose transmission equipment to a power surge, which could cause physical damage, resulting in an even longer outage that would require fixing or replacing devices.
However, the attackers failed to disable the protective relays due to some errors in the DoS tool code. Moreover, the hackers attempted to disrupt hundreds of control systems at the targeted organization, but failed to compromise as many as they intended. This resulted in the 2016 attack actually causing less disruption than the 2015 incident.
Slowik has pointed out that even if the DoS attacks on the SIPROTEC relays would have been successful, it’s unclear if Electrum would have been able to achieve its presumed goal of causing physical damage. Industrial environments can have various other protection systems and mechanisms in place that may have mitigated the attack.
“If CRASHOVERRIDE worked as ELECTRUM most likely intended, the potential outage would have been more widespread than 2015 given the number of transmission devices targeted. Additionally, the duration of the outage may have stretched to months or longer if disabling protection prior to system restoration yielded physical damage to transmission operations,” Dragos said in its report. “While the actual efficacy of CRASHOVERRIDE – even if it had worked as intended – remains unclear given a myriad of other controls and safeguards in electric transmission, the sequence of steps executed clearly demonstrates a more complex and concerning attack than past electric service disruptions.”