According to a study an American company working in the field of cybersecurity, hackers associated with the Russian government, created a malicious program that can potentially cause serious damage to power grids of the United States.
This malware, dubbed CrashOverride, one has already violated the power — it happened in December of last year in Ukraine. Then the hackers for a short time stopped the flow of the fifth part of produced in Kiev electricity.
This virus, if modified, can also be applied against the American system of transmission and distribution of electricity, and the effect will be catastrophic, as reported by Sergio Caltagirone (Caltagirone, Sergio), Director of intelligence threats to the security of the company Dragos, who conducted the study and published its results Monday, June 12.
“This is the culmination of over ten years of theory and study of attack scenarios, said Caltagirone. Is a factor that fundamentally changes the rules of the game”.
A study by Dragos published in a time when the U.S. government is investigating last year’s large-scale, ambitious campaign of the Russian government, aims to disrupt the US presidential election and to influence their outcome. In this campaign, Russia has used a variety of methods, including a hacked hundreds of political and other organizations and influence through social networks.
The company Dragos named the group of hackers who created this new malware, Electrum, and experts with a high degree of confidence stated that Electrum used the same computer system that the hackers who attacked Ukrainian electricity in 2015. The hacking attack, which left without electricity 225 thousand Ukrainians, was conducted by hackers of the Russian government — to such conclusion the American experts. The U.S. government officials have not made public statements about the involvement of the Russian government for the attack, but some of them privately admit that they agree with the conclusions of private companies.
“The attack on the power grid of Ukraine made by the same Russian hacking group that has attacked U.S. industrial control system,” said John Hultquist (John Hultquist), who analyzed both incidents when he worked in the company iSight Partners, which is now owned by FireEye, where he heads the analytical Department dealing with cyber-espionage. A team of Hultquist called the hacking group Sandworm.
“We believe that the Sandworm somehow connected with the Russian government. But we do not know whether they are contractors or current employees of government agencies, he said. — We believe that they are connected with the security services”.
Sandworm and Electrum can be one hacker group or two separate groups working within the same organization, however, the evaluation data show that they are connected, as reported by the head of the Dragos Robert E. Lee (Robert M. Lee).
The Department of homeland security, which is working with the owners of key national infrastructure, did not respond to a request for comment.
The energy experts claim that the new malware is good reason for concern and that the companies are trying to develop methods to confront the hackers trying to hack into their system.
“American companies improving their security systems, but such tools of hackers like this carry serious risks for the smooth operation of energy systems,” said Michael Assante (Michael J. Assante), who worked at Idaho National Labs and was head of the security division at North American Corporation to ensure the reliability of electric power systems (North American Electric Reliability Corporation).
CrashOverride was the second malicious program specifically designed to disrupt and disable industrial systems monitoring and control. Stuxnet, a malicious program created by the United States and Israel to damage nuclear potential of Iran, was an advanced weapon of war, disrupt the operation of centrifuges for uranium enrichment.
In 2015, the Russians have used malware to gain access to the power grids in the West of Ukraine, but, according to Hultquist, that hackers sitting at keyboards, manipulated the systems of control and management and not the virus.
As for CrashOverride, “most worrying is the fact that this is part of a larger scheme,” said one expert Dragos Dan Gunter (Dan Gunter).
According to Gunther, this virus is like a Swiss army knife, which has different tools for different tasks.
Theoretically, the malware can be modified so that it could attack various types of industrial control systems. However, according to Lee, while the enemy has not demonstrated such a level of perfection.
Meanwhile, according to Gunther, the hackers probably were the experts and resources that allowed them not only to develop the program, but to experience it. “This indicates the existence of larger-scale programmes, such as those often associated with government or well-funded collective operations.”
One of the most dangerous features CrashOverride is that it allows you to manipulate the settings of the control systems of power grids. She finds the key components that control circuit breakers that allows to interrupt the supply of electricity. This program is able to control switches even in those cases where the grid operator is trying to intervene and restore flow, resulting in a prolonged interruption in the supply of electricity.
In this malware there is also a component for deleting a virus in a computer system, which controls the switches, forcing the operator to go into manual mode — that is, he needs to go to the station to restore the supply of electricity.
According to Lee, having at your disposal this virus, hackers can attack from numerous objects laying in their system of “ticking time bombs” that can then work simultaneously. Thus, they can cause outages in several areas at the same time.
According to Lee, the duration of the outage may take several hours, sometimes a couple of days. This is due to the fact that American companies are operators, which are specially trained on how to act in case of interruptions in electricity supply caused by the hurricanes. “They are able to restore supply in manual mode,” — he added.
Therefore, according to him, although this virus is a “significant leap forward in this area, neither of which the doomsday scenarios is not discussed yet”.
Samples of this virus were first discovered by the experts of the Slovak company ESET, which gave some of these samples Dragos. ESET experts have called this malware Industroyer.