A malware framework known as CRASHOVERRIDE has emerged as the main suspect behind a December 2016 cyberattack in Ukraine that cut power to hundreds of thousands of citizens. In a threat report published by security firm Dragos on Monday, the company said that the malware could have been developed to carry out multiple additional attacks.
According to the report, Dragos was initially tipped off about the malware from antivirus company ESET. After studying a sample, Dragos was able to link it back to the power grid attack in Kiev, Ukraine. Their assessment that it was the same malware that was used in Kiev was made “with high confidence,” the report said.
CRASHOVERRIDE marks the first instance of a malware framework designed specifically to attack electric grids, the report found. It’s also the second type of malware designed to specifically disrupt a physical industrial processes, following the Stuxnet attack that took out an Iranian nuclear facility in 2010.
Because the CRASHOVERRIDE framework isn’t tied to a certain vendor or setup, it can more effectively target electrical grids with information about how these grids operate and perform, according to the report. This means that it can be immediately “re-purposed in Europe and portions of the Middle East and Asia,” the report said, and that it could be tailored to attack the North American grid as well.
Because of the way the malware is designed, the Dragos report also theorized that it could be used against multiple grids at one time, in order to create a widespread attack. However, its use would only lead to outages lasting for a few hours or, at most, a few days, and its effects wouldn’t be considered cataclysmic.
Dragos also reported that the framework could be adapted to affect other industries as well, but that is simply a hypothetical assessment at this point.
The surprising thing about CRASHOVERRIDE is that it seems to exist solely to disrupt the processes of the grid and cause outages. Dragos couldn’t find any evidence that the malware was used to steal information.
The 3 big takeaways for TechRepublic readers
- A new malware framework known as CRASHOVERRIDE could have been the cause of the December 2016 cyberattack in Ukraine that took down its electrical grid, according to a Dragos report.
- CRASHOVERRIDE could be used in other regions, and against other industries as well, the report said.
- CRASHOVERRIDE doesn’t perform any espionage; rather, it exists only to disrupt grid operations, the report noted.