By Jim Finkle
(Reuters) – Two cyber security companies said they have uncovered a sophisticated piece of malicious software capable of causing power outages by ordering industrial computers to shut down electricity transmission.
Analysis of the malware, known as Crash Override or Industroyer, indicates it was likely used in a December 2016 cyber attack that cut power in Ukraine, according to the firms, Slovakian security software maker ESET and U.S. critical-infrastructure security firm Dragos Inc.
The discovery may stoke fears about cyber vulnerabilities in power grids that have intensified in the wake of the December Ukraine attack, and one a year earlier that also cut power in that nation.
Ukraine authorities have previously blamed Russia for the attacks on its grid. Moscow has denied responsibility.
Dragos founder Robert M. Lee said the malware is capable of causing outages of up to a few days in portions of a nation’s grid, but is not potent enough to bring down a country’s entire grid.
The firm has alerted government authorities and power companies about the threat, advising them of steps to defend against the threat, Lee said in an interview.
Crash Override can be detected if a utility specifically monitors its network for abnormal traffic, including signs that the malware is searching for the location of substations or sending messages to switch breakers, according to Lee, a former U.S. Air Force warfare operations officer.
The sample of Crash Override that was analyzed by Dragos is capable of attacking power operators across Europe, according to Lee.
“With small modifications, it could be leveraged against the United States,” he said.
Reuters reviewed an ESET technical analysis of the malware provided by the security firm, which they planned to release publicly on Monday. An ESET spokeswoman said the firm’s researchers were not available for comment ahead of its release.
ESET said in its report that it believed the malware was “very probably” used in the 2016 attack in Ukraine, noting it has an activation time stamp of Dec. 17, the day of the outage.
Crash Override is the second piece of malware discovered to date that is capable of disrupting industrial processes, according to Lee.
The first, Stuxnet, was discovered in 2010 and is widely believed by security researchers to have been used by the United States and Israel to attack Iran’s nuclear program.
Malware has been used in other attacks on industrial targets, including the 2015 Ukraine power outage, but in those cases human intervention was required to interfere with operations, Lee said.
(Reporting by Jim Finkle in Toronto; Editing by Tom Brown and Richard Pullin)