CrashOverride

CrashOverride or Industroyer is a Trojan that targets energy sector-associated equipment for causing power outages and, potentially, permanent, physical damage. While this threat's campaign begun in Ukraine, CrashOverride is a modular Trojan that can adjust different portions of its attacks for harming the power grids of other countries around the world. Malware experts recommend using human resources for monitoring possible signs of an infection regularly, patching all software, and having dedicated anti-malware products for removing CrashOverride from the infected system.

Your Next Outage may not Be Due to Bad Weather

Occasional Trojan campaigns targeting the energy sectors of different nations are a recurring problem for the cyber-security industry to deal with, and, previously, included threats like the Gh0st RAT, Havex, TritonStuxnet. The last example is especially notable for its capacity for causing physical damage to hardware, which, until now, was a trait that was unique to it. However, a new, Ukraine-based campaign is sharing that property, thanks to the Trojan that authorities refer to as both Industroyer and CrashOverride.

Like Stuxnet, CrashOverride is likely of being of Russian origin, although malware experts can't, currently, verify either the identity of the threat actors or their infiltration methods. Attacks of this nature often utilize e-mail as the infection method of choice. CrashOverride uses a module-based design that customizes its payload for different infrastructure norms in different regions, such as Ukraine. Once it gains access, it's capable of deploying itself without much oversight, and can cause outages autonomously, which is a significant difference from the previous, and otherwise similar, Stuxnet campaign. CrashOverride also can operate manually, when appropriate, for a more precise level of control than its default module settings provide.

CrashOverride also may be providing recon information on the control systems to its threat actors. The Trojan includes a relatively non-obfuscated, data-uploading feature that could help the remote attackers learn previously unknown details about the functionality of the equipment. CrashOverride also can self-destruct and erase other files on the infected PC with it, thereby destroying any evidence of the infection method or its payload's operations.

Overriding the Trojan with an Anti-Energy Agenda

One hazard with CrashOverride infections is their potential for exploiting a vulnerability in Siprotec digital relays that, like Stuxnet's attacks, could facilitate the physical destruction of hardware with nothing more than purely digital commands. However, its threat actors may intend for the feature to do nothing more than a preventative measure against the re-enabling of any circuit breakers after a blackout. Malware analysts note that CrashOverride's current implementation of this feature is defensible for users equipping their software with the latest patch for their Siprotec-brand equipment.

CrashOverride is adaptable to different targets globally and can maintain its presence, and a timed payload, even on any systems without a network connection. Although CrashOverride can't apply its payload to non-electrical control systems without further changes to its built-in code, its modules may let it cause well-organized outages anywhere in the world. Any anti-malware protocols should focus on preventing infections by scanning incoming files with appropriate security software and having the removal of CrashOverride taking place automatically.

CrashOverride is a well-designed Trojan whose motives remain guessable but not verifiable, for the present. Although most nations maintain a minimum of hands-on monitoring of their electrical grids, the CrashOverride campaign should give most electrical companies reasons for doing otherwise.