Tag Archive

Biggest threat to industrial control systems since Stuxnet

As your IT security provider, we wanted to update you on some recent breaking news.

ESETESET has discovered a new malware strain designed specifically to target industrial control systems-such as electric power grids.

The malware, detected by ESET as Win32/Industroyer, is believed to have been used in the December 2016 attack on Ukraine’s power grid that caused a major blackout.

ESET detects and blocks Industroyer. Our role in identifying this threat is just another example of our commitment to innovation and technical excellence.

Industroyer: Biggest threat to industrial control systems since Stuxnet

The 2016 attack on Ukraine’s power grid that deprived part of its capital, Kiev, of power for an hour was caused by a cyberattack. ESET researchers have since analyzed samples of malware, detected by ESET as Win32/Industroyer, capable of performing exactly that type of attack.

Whether the same malware was really involved in what cybersecurity experts consider to have been a large-scale test is yet to be confirmed. Regardless, the malware is capable of doing significant harm to electric power systems and could also be refitted to target other types of critical infrastructure.

Figure 1: Scheme of Industroyer operation

Industroyer is a particularly dangerous threat, since it is capable of controlling electricity substation switches and circuit breakers directly. To do so, it uses industrial communication protocols used worldwide in power supply infrastructure, transportation control systems, and other critical infrastructure systems (such as water and gas).

These switches and circuit breakers are digital equivalents of analogue switches; technically they can be engineered to perform various functions. Thus, the potential impact may range from simply turning off power distribution, cascading failures and more serious damage to equipment. The severity may also vary from one substation to another, as well. Needless to say, disruption of such systems can directly or indirectly affect the functioning of vital services.

Industroyer’s dangerousness lies in the fact that it uses protocols in the way they were designed to be used. The problem is that these protocols were designed decades ago, and back then industrial systems were meant to be isolated from the outside world. Thus, their communication protocols were not designed with security in mind. That means that the attackers didn’t need to be looking for protocol vulnerabilities; all they needed was to teach the malware “to speak” those protocols.

The recent power outage occurred on December 17th, 2016, almost exactly one year after the well-documented cyberattack that caused a blackout that affected around 250,000 households in several regions in Ukraine on December 23rd, 2015.

In 2015, the perpetrators infiltrated the electricity distribution networks with the BlackEnergy malware, along with KillDisk and other malicious components, and then abused legitimate remote access software to control operators’ workstations and to cut off power. Aside from targeting the Ukrainian power grid, there are no apparent similarities in code between BlackEnergy and Industroyer.

Structure and key functionalities

Industroyer is modular malware. Its core component is a backdoor used by attackers to manage the attack: it installs and controls the other components and connects to a remote server to receive commands and to report to the attackers.

What sets Industroyer apart from other malware targeting infrastructure is its use of four payload components, which are designed to gain direct control of switches and circuit breakers at an electricity distribution substation.

Each of these components targets particular communication protocols specified in the following standards: IEC 60870-5-101, IEC 60870-5-104, IEC 61850, and OLE for Process Control Data Access (OPC DA).

Generally, the payloads work in stages whose goals are mapping the network, and then figuring out and issuing commands that will work with the specific industrial control devices. Industroyer’s payloads show the authors’ deep knowledge and understanding of industrial control systems.

Figure 2: Components of Industroyer malware

The malware contains a few more features that are designed to enable it to remain under the radar, to ensure the malware’s persistence, and to wipe all traces of itself after it has done its job.

For example, the communication with the C&C servers hidden in Tor can be limited to non-working hours. Also, it employs an additional backdoor – masquerading as the Notepad application – designed to regain access to the targeted network in case the main backdoor is detected and/or disabled.

And its wiper module is designed to erase system-crucial Registry keys and overwrite files to make the system unbootable and the recovery harder. Of interest is the port scanner that maps the network, trying to find relevant computers: the attackers made their own custom tool instead of using existing software. Finally, yet another module is a Denial-of-Service tool that exploits the CVE-2015-5374 vulnerability in Siemens SIPROTEC devices and can render targeted devices unresponsive.


Industroyer is highly customizable malware. While being universal, in that it can be used to attack any industrial control system using some of the targeted communication protocols, some of the components in analyzed samples were designed to target particular hardware. For example, the wiper component and one of the payload components are tailored for use against systems incorporating certain industrial power control products by ABB, and the DoS component works specifically against Siemens SIPROTECT devices used in electrical substations and other related fields of application.

While in principle it’s difficult to attribute attacks to malware without performing an on-site incident response, it’s highly probable that Industroyer was used in the December 2016 attack on the Ukrainian power grid. On top of the fact that the malware clearly possesses the unique capabilities to perform the attack, it contains an activation timestamp for December 17th, 2016, the day of the power outage.

The 2016 attack on the Ukrainian power grid attracted much less attention than the attack that occurred a year earlier. However, the tool most likely used, Win32/Industroyer, is an advanced piece of malware in the hands of a sophisticated and determined attacker.

Thanks to its ability to persist in the system and provide valuable information for tuning-up the highly configurable payloads, attackers could adapt the malware to any environment, which makes it extremely dangerous. Regardless of whether or not the recent attack on the Ukrainian power grid was a test, it should serve as a wake-up call for those responsible for security of critical systems around the world.

Additional technical details on the malware and Indicators of Compromise can be found in our comprehensive white paper, and on github. For any inquiries, or to make sample submissions related to the subject, contact us at: threatintel@eset.com.

learn more

11 things you can do to protect against ransomware, including Cryptolocker

11 things you can do to protect against ransomware, including Cryptolocker

Update: Don’t be a victim of ransomware: Learn how to stand up to Cryptowall: Download our tech brief.

[Update: Check out the May, 2016 webinar on ransomware for updates on this threat and how to defeat it. Readers in North America can download this report on protecting against ransomware.]

Ransomware is malicious software that cyber criminals use to hold your computer or computer files for ransom, demanding payment from you to get them back. Sadly, ransomware is becoming an increasingly popular way for malware authors to extort money from companies and consumers alike. There is a variety of ransomware can get onto a person’s machine, but as always, those techniques either boil down to social engineering tactics or using software vulnerabilities to silently install on a victim’s machine.

Why is Cryptolocker so noteworthy?

One specific ransomware threat that has been in the news a lot lately is Cryptolocker (detected by ESET as Win32/Filecoder -check the ESET Knowledge Base for updated information on detection of Cryptolocker and other ransomware). The perpetrators of Cryptolocker have been emailing it to huge numbers of people, targeting particularly the US and UK. Like a notorious criminal, this malware has been associated with a variety of other bad actors – backdoor Trojans, downloaders, spammers, password-stealers, ad-clickers and the like. Cryptolocker may come on its own (often by email) or by way of a backdoor or downloader, brought along as an additional component.

You may wonder why the big fuss over this one particular ransomware family – in essence, it is because Cryptolocker’s authors have been both nimble and persistent. There has been a concerted effort to pump out new variants, keeping up with changes in protection technology, and targeting different groups over time.

Since the beginning of September, the malware authors have sent waves of spam emails targeting different groups. Most of the targeted groups have been in the US and the UK, but there is no geographical limit on who can be affected, and plenty of people outside of either country have been hit. Initially emails were targeting home users, then small to medium businesses, and now they are going for enterprises as well.

The malware also spreads via RDP ports that have been left open to the Internet, as well as by email. Cryptolocker can also affect a user’s files that are on drives that are “mapped”, which is to say, they have been given a drive letter (e.g. D:, E:, F: ). This could be an external hard-drive including USB thumb drives, or it could be a folder on the network or in the Cloud. If you have, say, your Dropbox folder mapped locally, it can encrypt those files as well.

At this point, tens of thousands of machines have been affected, though it is estimated that the criminals have sent millions of emails. Hopefully the remainder of recipients simply deleted the malicious emails without opening them, rather than them sitting unopened, waiting to unleash more pain.

Those people that have been affected have had a large number of their files encrypted. These files are primarily popular data formats, files you would open with a program (like Microsoft Office, Adobe programs, iTunes or other music players, or photo viewers). The malware authors use two types of encryption: The files themselves are protected with 256-bit AES encryption. The keys generated by this first encryption process are then protected with 2048-bit RSA encryption, and the malware author keeps the private key that would allow both the keys on the user’s machine and the files they protect, to be decrypted. The decryption key cannot be brute-forced, or gathered from the affected computer’s memory. The criminals are the only ones who ostensibly have the private key.

What can you do about it?

On the one hand, ransomware can be very scary – the encrypted files can essentially be considered damaged beyond repair. But if you have properly prepared your system, it is really nothing more than a nuisance. Here are a few tips that will help you keep ransomware from wrecking your day:

1. Back up your data
The single biggest thing that will defeat ransomware is having a regularly updated backup. If you are attacked with ransomware you may lose that document you started earlier this morning, but if you can restore your system to an earlier snapshot or clean up your machine and restore your other lost documents from backup, you can rest easy. Remember that Cryptolocker will also encrypt files on drives that are mapped. This includes any external drives such as a USB thumb drive, as well as any network or cloud file stores that you have assigned a drive letter. So, what you need is a regular backup regimen, to an external drive or backup service, one that is not assigned a drive letter or is disconnected when it is not doing backup.

The next three tips are meant to deal with how Cryptolocker has been behaving – this may not be the case forever, but these tips can help increase your overall security in small ways that help prevent against a number of different common malware techniques.

2. Show hidden file-extensions
One way that Cryptolocker frequently arrives is in a file that is named with the extension “.PDF.EXE”, counting on Window’s default behavior of hiding known file-extensions. If you re-enable the ability to see the full file-extension, it can be easier to spot suspicious files.

3. Filter EXEs in email
If your gateway mail scanner has the ability to filter files by extension, you may wish to deny mails sent with “.EXE” files, or to deny mails sent with files that have two file extensions, the last one being executable (“*.*.EXE” files, in filter-speak). If you do legitimately need to exchange executable files within your environment and are denying emails with “.EXE” files, you can do so with ZIP files (password-protected, of course) or via cloud services.

4. Disable files running from AppData/LocalAppData folders
You can create rules within Windows or with Intrusion Prevention Software, to disallow a particular, notable behavior used by Cryptolocker, which is to run its executable from the App Data or Local App Data folders. If (for some reason) you have legitimate software that you know is set to run not from the usual Program Files area but the App Data area, you will need to exclude it from this rule.

5. Use the Cryptolocker Prevention Kit
The Cryptolocker Prevention Kit is a tool created by Third Tier that automates the process of making a Group Policy to disable files running from the App Data and Local App Data folders, as well as disabling executable files from running from the Temp directory of various unzipping utilities. This tool is updated as new techniques are discovered for Cryptolocker, so you will want to check in periodically to make sure you have the latest version. If you need to create exemptions to these rules, they provide this document that explains that process.

6. Disable RDP
The Cryptolocker/Filecoder malware often accesses target machines using Remote Desktop Protocol (RDP), a Windows utility that allows others to access your desktop remotely. If you do not require the use of RDP, you can disable RDP to protect your machine from Filecoder and other RDP exploits. For instructions to do so, visit the appropriate Microsoft Knowledge Base article below:

7. Patch or Update your software
These next two tips are more general malware-related advice, which applies equally to Cryptolocker as to any malware threat. Malware authors frequently rely on people running outdated software with known vulnerabilities, which they can exploit to silently get onto your system. It can significantly decrease the potential for ransomware-pain if you make a practice of updating your software often. Some vendors release security updates on a regular basis (Microsoft and Adobe both use the second Tuesday of the month), but there are often “out-of-band” or unscheduled updates in case of emergency. Enable automatic updates if you can, or go directly to the software vendor’s website, as malware authors like to disguise their creations as software update notifications too.

8. Use a reputable security suite
It is always a good idea to have both anti-malware software and a software firewall to help you identify threats or suspicious behavior. Malware authors frequently send out new variants, to try to avoid detection, so this is why it is important to have both layers of protection. And at this point, most malware relies on remote instructions to carry out their misdeeds. If you run across a ransomware variant that is so new that it gets past anti-malware software, it may still be caught by a firewall when it attempts to connect with its Command and Control (C&C) server to receive instructions for encrypting your files.

If you find yourself in a position where you have already run a ransomware file without having performed any of the previous precautions, your options are quite a bit more limited. But all may not be lost. There are a few things you can do that might help mitigate the damage, particularly if the ransomware in question is Cryptolocker:

9. Disconnect from WiFi or unplug from the network immediately
If you run a file that you suspect may be ransomware, but you have not yet seen the characteristic ransomware screen, if you act very quickly you might be able to stop communication with the C&C server before it finish encrypting your files. If you disconnect yourself from the network immediately (have I stressed enough that this must be done right away?), you might mitigate the damage. It takes some time to encrypt all your files, so you may be able to stop it before it succeeds in garbling them all. This technique is definitely not foolproof, and you might not be sufficiently lucky or be able to move more quickly than the malware, but disconnecting from the network may be better than doing nothing.

10. Use System Restore to get back to a known-clean state
If you have System Restore enabled on your Windows machine, you might be able to take your system back to a known-clean state. But, again, you have to out-smart the malware. Newer versions of Cryptolocker can have the ability to delete “Shadow” files from System Restore, which means those files will not be there when you try to to replace your malware-damaged versions. Cryptolocker will start the deletion process whenever an executable file is run, so you will need to move very quickly as executables may be started as part of an automated process. That is to say, executable files may be run without you knowing, as a normal part of your Windows system’s operation.

11. Set the BIOS clock back
Cryptolocker has a payment timer that is generally set to 72 hours, after which time the price for your decryption key goes up significantly. (The price may vary as Bitcoin has a fairly volatile value. At the time of writing the initial price was .5 Bitcoin or $300, which then goes up to 4 Bitcoin) You can “beat the clock” somewhat, by setting the BIOS clock back to a time before the 72 hour window is up. I give this advice reluctantly, as all it can do is keep you from having to pay the higher price, and we strongly advise that you do not pay the ransom. Paying the criminals may get your data back, but there have been plenty of cases where the decryption key never arrived or where it failed to properly decrypt the files. Plus, it encourages criminal behavior! Ransoming anything is not a legitimate business practice, and the malware authors are under no obligation to do as promised – they can take your money and provide nothing in return, because there is no backlash if the criminals fail to deliver.