Russia has developed cyber weapon that can disrupt power grids
Hackers allied with the Russian government have devised a cyber weapon that has the potential to be the most disruptive yet against electric systems that most people depend on for daily life.
The malware, which researchers have dubbed CrashOverride, is known to have disrupted only one energy system - in Ukraine in December. In that incident, the hackers briefly shut down one-fifth of the electric power generated in Kiev.
But with modifications, it could be deployed against electric transmission and distribution systems to devastating effect, said Sergio Caltagirone, director of threat intelligence for Dragos, a cybersecurity firm that studied the malware.
And Russian government hackers have already shown their interest in targeting US energy and other utility systems, researchers said.
READ MORE: Stuxnet cyberweapon older than believed
"It's the culmination of over a decade of theory and attack scenarios," Caltagirone warned. "It's a game changer."
Dragos has named the group that created the new malware Electrum, and has determined with high confidence that it used the same computer systems as the hackers who attacked the Ukraine electric grid in 2015.
That attack, which left 225,000 customers without power, was carried out by Russian government hackers, other researchers concluded.
Energy-sector experts said that the new malware is cause for concern, but that the industry is seeking to develop ways to disrupt attackers who breach their systems.
"US utilities have been enhancing their cybersecurity, but attacker tools like this one pose a very real risk to reliable operation of power systems," said Michael Assante, who worked at Idaho National Labs.
CrashOverride is only the second instance of malware specifically tailored to disrupt or destroy industrial control systems.
Stuxnet, the worm created by the United States and Israel to disrupt Iran's nuclear enrichment capability, was an advanced military-grade weapon designed to affect centrifuges that enrich uranium.
With CrashOverride, "what is particularly alarming . . . is that it is all part of a larger framework," said Dan Gunter, a senior threat hunter for Dragos.
The malware is like a Swiss Army knife, where you flip open the tool you need, and where different tools can be added to achieve different effects, Gunter said.
Theoretically, the malware can be modified to attack different types of industrial control systems, such as water and gas.
One of the most insidious tools in CrashOverride manipulates the settings on electric power control systems. It scans for critical components that operate circuit breakers and opens the circuit breakers, which stops the flow of electricity. It continues to keep them open even if a grid operator tries to close them, creating a sustained power outage.
The malware also has a "wiper" component that erases the software on the computer system that controls the circuit breakers, forcing the grid operator to revert to manual operations, which means driving to the substation to restore power.
With this malware, the attacker can target multiple locations with a "time bomb" functionality and set the malware to trigger simultaneously. That could create outages in different areas at the same time.
The outages would last a few hours and probably not more than a couple of days.
- The Washington Post