CRASHOVERRIDE poised to affect Natural Gas?

The bad day is getting closer

The latest threat on the energy horizon is the ELECTRUM group its CRASHOVERRIDE malware, as reported by Dragos, Inc. The combination of the apparent two-tiered development (malware coding and ICS/SCADA system experts) and modular functions makes this an attractive malware package to customize for attacks against U.S. natural gas entities. 

The childhood of a cyber monster

DRAGONFLY group is attributed to the HAVEX RAT (2013 – ?) malware that leveraged legitimate functionality in the OPC protocol to map out the industrial equipment and devices on an ICS network. The OPC protocol is designed to be the universal translator for many industrial components and is readily accessible in an HMI or dedicated OPC server. There was no physical disruption or destruction of the industrial process. Instead, HAVEX “merely” mapped networks in detail.  It was the type of data you would want to leverage to design attacks in the future, built for the specific targets impacted with the malware.

The SANDWORM group has targeted numerous industries ranging from western militaries, governments, research organizations, defense contractors, and industrial sites. It was their use of the BLACKENERGY 2 malware that caught the ICS industry’s attention. This ICS tailored malware contained exploits for specific types of HMI applications including Siemens SIMATIC, GE CIMPLICITY, and Advantech WebAccess. BLACKENERGY 2 was a smart approach by the adversaries to target internet connected HMIs. Upon exploitation of the HMIs, the adversaries had access to a central location in the ICS to start to learn the industrial process and gain the graphical representation of that ICS through the HMI. The targeting of HMIs alone is often not enough to cause physical damage, but it is an ideal target for espionage and positioning in an ICS.  BLACKENERGY 3 continued this approach with additional capability to exfiltrate network information.  All BLACKENERGY packages blur the lines between crimeware and state-sponsored attacks due to sharing of code.

All your base…

CRASHOVERRIDE is attributed to the ELECTRUM group.  CRASHOVERRIDE is not unique to any particular vendor or configuration vulnerability, and instead leverages knowledge of grid operations and network communications. In that way, it can be immediately re-purposed in Europe and portions of the Middle East and Asia.

CRASHOVERRIDE is extensible and with a small amount of tailoring such as the inclusion of a DNP3 protocol stack would also be effective in the North American grid.

Originally developed for the electrical power industry, the DNP3 protocol has expanded over the last two decades into industries such as Oil & Gas, Water & Wastewater, and Transportation, among others. In many areas it has been adopted as a standard.

Temporary delay of game

CRASHOVERRIDE could be extended to other industries with additional protocol modules, but the adversaries have not demonstrated the knowledge of other physical industrial processes to be able to make that assessment anything other than a hypothetical at this point and protocol changes alone would be insufficient.

Conclusion

ELECTRUM could easily leverage external development teams skilled at exploiting natural gas-centric industrial control systems. Some adversaries would likely approach capability development through a ‘two-tier’ approach: a core development team skilled at writing the overall framework and a second team knowledgeable about a given control system. The platform team would take the control system modules and add logic to fit them within the platform.

Air gapped networks, unidirectional firewalls, anti-virus in the ICS, and other passive defenses and architecture changes are not appropriate solutions for this attack. No amount of security control will protect against a determined human adversary. Human defenders are required.