Technical support responded to the Pivnichna substation and took the automated circuit breakers off computer control, restoring power a little after 1 a.m. It was only the second confirmed case of a computer hack triggering an electrical blackout, and compared to the first, 12 months earlier also in Ukraine—it was a buzz, affecting far fewer customers and for a small bit of the time. In the six months since the Kiev attacks, security researchers have wondered why the hackers even bothered with such fleeting disruptions and speculated that someone was using Ukraine as a testing ground for more serious attacks.
Now that assessment seems to be confirmed. Researchers at two security companies on Monday announced they’ve found and analyzed the malware that triggered the Kiev blackout, and it’s far bitter than imagined. The computer code, dubbed as “CrashOverride” by Maryland-based Dragos, and “Industroyer” from ESET in Slovakia, is a genuine cyber weapon that can map out a power station’s control network feeds and, with minimal human guidance, issue malicious commands directly to most critical equipment. Only once before has the world seen malware designed for such destruction, with the 2010 Stuxnet virus used against Iran’s nuclear programs. CrashOverride is the first to target civilians and the first such malware built to target a nation’s power supply.
It’s unclear who built CrashOverrride. Both ESET and Dragos say it was built from scratch, leaving none of the usual digital fingerprints that allow analysts to link one hacking campaign to another. Ukraine has faced a near-biblical plague of a cyber attack since entering into hostilities with the Soviet Union three years ago, and many have led unequivocally to Moscow. But not so with CrashOverride Virus.
“It’s a nightmare,” Lee said. “The malware in its current state would be able to hack every power plant in Europe. This is a framework designed to target other places.”
“We believe that our current protective measure is to provide an initial barrier,” said Marcus Sachs, NERC’s chief security officer, “and we are providing additional technical information to North American utility specifics to this malware.”
CrashOverride marks a significant escalation in the electronic arms race, at a time of overt saber cyber-rattling from U.S. adversaries like Russia and North Korea, and increasingly loud warnings about the vulnerability of the power grids. Last January, the Department of Energy assessed that the U.S. now faces “imminent danger” of a cyberattack that would trigger a prolonged cascading outage that would “undermine U.S. lifeline networks, critical defense infrastructure, and much of the economy; it could also endanger the health and safety of millions of citizens.”
