U.S. Power Companies Warned Nightmare Cyber Weapon Already Causing Blackouts

U.S. Power Companies Warned ‘Nightmare’ Cyber Weapon Already Causing Blackouts
http://www.thedailybeast.com/newly-discovered-nightmare-cyber-weapon-is-already-causing-blackouts

Seven minutes before midnight last Dec. 17, a bomb of sorts went off in a high-voltage substation north of Kiev.

But if you were standing outside the 20 acres of gleaming metal transformers and coils, you wouldn’t have heard a bang or seen a flash. It wasn’t that kind of bomb. It was a piece of malicious software that had been hiding in a control-room computer miles away, waiting for the right time to reveal itself. At 11:53 p.m., the logic bomb transmitted a staccato burst of pre-programmed commands to the substation, popping one circuit breaker after another until a strip of houses in and around western Kiev were plunged into darkness.

Technicians responded to the Pivnichna substation and took the circuit breakers off computer control, restoring power a little after 1 a.m. It was only the second confirmed case of a computer attack triggering an electrical blackout, and compared to the first, 12 months earlier—also in Ukraine—it was a fizzle, affecting far fewer customers and for a fraction of the time. In the six months since the Kiev attack, security researchers have wondered why the hackers even bothered with such a fleeting disruption and speculated that someone was using Ukraine as a testing ground for a more serious attack.

Now that dark assessment seems to be confirmed. Researchers at two security companies on Monday announced they’ve finally found and analyzed the malware that triggered the Kiev blackout, and it’s far worse than imagined. The computer code, dubbed “CrashOverride” by Maryland-based Dragos, and “Industroyer” by ESET in Slovakia, is a genuine cyber weapon that can map out a power station’s control network and, with minimal human guidance, issue malicious commands directly to critical equipment. Only once before has the world seen malware designed for such sabotage, with the 2010 Stuxnet virus used against Iran’s nuclear program. CrashOverride is the first to target civilians and the first such malware built to target a nation’s power supply.

It’s unclear who created CrashOverrride. Both ESET and Dragos say it was built from scratch, leaving none of the usual fingerprints that allow analysts to link one hacking campaign to another. Ukraine has faced a near-biblical plague of cyberattacks since entering into hostilities with Russia three years ago, and many have led unequivocally to Moscow. But not so with CrashOverride. The only thing that’s certain, says security researcher Robert Lee, CEO of Dragos, is that the malware wasn’t built as a one-time weapon. It’s designed from the ground up to be easily reconfigured for a variety of targets and contains some payloads that weren’t even fired off in the Kiev attack.

“It’s a nightmare,” Lee said. “The malware in its current state would be usable for every power plant in Europe. This is a framework designed to target other places.”