Modular threats and two-tiered development are the wave of the future. Credit: Thinkstock The bad day is getting closerThe latest threat on the energy horizon is the ELECTRUM group its CRASHOVERRIDE malware, as reported by Dragos, Inc. The combination of the apparent two-tiered development (malware coding and ICS/SCADA system experts) and modular functions makes this an attractive malware package to customize for attacks against U.S. natural gas entities. The childhood of a cyber monsterDRAGONFLY group is attributed to the HAVEX RAT (2013 – ?) malware that leveraged legitimate functionality in the OPC protocol to map out the industrial equipment and devices on an ICS network. The OPC protocol is designed to be the universal translator for many industrial components and is readily accessible in an HMI or dedicated OPC server. There was no physical disruption or destruction of the industrial process. Instead, HAVEX “merely” mapped networks in detail. It was the type of data you would want to leverage to design attacks in the future, built for the specific targets impacted with the malware.The SANDWORM group has targeted numerous industries ranging from western militaries, governments, research organizations, defense contractors, and industrial sites. It was their use of the BLACKENERGY 2 malware that caught the ICS industry’s attention. This ICS tailored malware contained exploits for specific types of HMI applications including Siemens SIMATIC, GE CIMPLICITY, and Advantech WebAccess. BLACKENERGY 2 was a smart approach by the adversaries to target internet connected HMIs. Upon exploitation of the HMIs, the adversaries had access to a central location in the ICS to start to learn the industrial process and gain the graphical representation of that ICS through the HMI. The targeting of HMIs alone is often not enough to cause physical damage, but it is an ideal target for espionage and positioning in an ICS. BLACKENERGY 3 continued this approach with additional capability to exfiltrate network information. All BLACKENERGY packages blur the lines between crimeware and state-sponsored attacks due to sharing of code.All your base…CRASHOVERRIDE is attributed to the ELECTRUM group. CRASHOVERRIDE is not unique to any particular vendor or configuration vulnerability, and instead leverages knowledge of grid operations and network communications. In that way, it can be immediately re-purposed in Europe and portions of the Middle East and Asia. CRASHOVERRIDE is extensible and with a small amount of tailoring such as the inclusion of a DNP3 protocol stack would also be effective in the North American grid.Originally developed for the electrical power industry, the DNP3 protocol has expanded over the last two decades into industries such as Oil & Gas, Water & Wastewater, and Transportation, among others. In many areas it has been adopted as a standard. Temporary delay of gameCRASHOVERRIDE could be extended to other industries with additional protocol modules, but the adversaries have not demonstrated the knowledge of other physical industrial processes to be able to make that assessment anything other than a hypothetical at this point and protocol changes alone would be insufficient.ConclusionELECTRUM could easily leverage external development teams skilled at exploiting natural gas-centric industrial control systems. Some adversaries would likely approach capability development through a ‘two-tier’ approach: a core development team skilled at writing the overall framework and a second team knowledgeable about a given control system. The platform team would take the control system modules and add logic to fit them within the platform.Air gapped networks, unidirectional firewalls, anti-virus in the ICS, and other passive defenses and architecture changes are not appropriate solutions for this attack. No amount of security control will protect against a determined human adversary. Human defenders are required. Related content opinion Toe-to-toe with the Roosskies Russia is hardly, if at all, deterred by sanctions. Until Uncle Sam puts his kinetic foot down, Russian Intrusions and campaigns will continue and most likely increase. By John Bryk Mar 19, 2018 5 mins Cyberattacks Government Technology Industry opinion The next wave? Modular component malware against industrial control safety systems While there exist no imminent, specific, directly attributable credible threats against energy infrastructure in North America, attacks against Ukraine’s energy sector have occurred each December since 2015. By John Bryk Dec 15, 2017 3 mins Cyberattacks Energy Industry Technology Industry opinion Eugene Kaspersky and the terrible, horrible, no good, very bad day When a crime is committed, who should go to jail? By John Bryk Oct 11, 2017 4 mins Technology Industry Cyberattacks Cybercrime opinion Global cyber reconnaissance against the energy sector The sky is not falling, at least not today. By John Bryk Jul 12, 2017 4 mins Cyberattacks Energy Industry Technology Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe