The Industroyer worm is aimed at taking control of electricity substation switches and circuit breakers directly using standard industrial communication protocols say researchers at ESET.
The modular software is based around is a backdoor that is used by attackers to manage the attack and then installs and controls the other components, connecting to a remote server to receive commands and to report to the attackers.
What sets Industroyer apart from other malware targeting infrastructure is its use of four payload components, which are designed to gain direct control of switches and circuit breakers at an electricity distribution substation, says Anton Cherepanov, senior malware researcher at ESET.
Generally, the payloads work in stages whose goals are mapping the network, and then figuring out and issuing commands that will work with the specific industrial control devices. Industroyer’s payloads show the authors’ deep knowledge and understanding of industrial control systems using the communication protocols from IEC 60870-5-101, IEC 60870-5-104, IEC 61850, and OLE for Process Control Data Access (OPC DA).
ESET was created in 1992 in Bratislava, Slovakia and has research teams in Slovakia, Germany, the US, Canada and Argentina. The researchers dismantled the code and found features designed to enable it to remain under the radar and wipe all traces of itself after it has done its job.
The wiper module is designed to erase system-crucial Registry keys and overwrite files to make the system unbootable and the recovery harder. Of interest is the port scanner that maps the network, trying to find relevant computers: the attackers made their own custom tool instead of using existing software.
Industroyer is highly customizable and can be used to attack any industrial control system using some of the targeted communication protocols. Some of the components in analyzed samples were designed to target particular hardware such as industrial power control products by ABB, while the denial of service (DoS) component works specifically against Siemens SIPROTECT devices used in electrical substations and other related fields of application.
The software contains an activation timestamp for December 17th, 2016, the day of a major power outage in the Ukrainian city of Kiev.