The Claroty Blog

CrashOverride (a.ka.Industroyer) - Detection and Alerting in Claroty Platform

| Patrick McBride

CrashOverride (a.k.a Industroyer) is malware purpose-built for attacking electric transmission and distribution systems. It is now assumed it was utilized to shut down electricity in Ukraine in December 2016. CrashOverride joins Stuxnet, BlackEnergy2 and HAVEX in its industrial control system (ICS) attack automation capabilities, and the malware reveals thorough knowledge of the internals of the ICS communication protocols that transmission and distribution systems rely on.

 

According to public research, CrashOverride is composed of a backdoor and four payload components that seek to gain direct control of switches and circuit breakers at an electricity distribution substation. The malware first maps and discovers the targeted devices and then issue commands to modify these devices’ behavior.

For deeper understanding of CrashOverride we recommend reviewing ESET’s thorough analysis paper, and the US-CERT advisory.

 

Claroty’s Quick Take

Claroty’s research team has analyzed CrashOverride. From initial analysis, it is apparent that CrashOverride is designed for a hit-and-destroy style attack; to open a breaker switch and shut down the flow of electricity with a write command. This aligns with the attack pattern that was practiced against the Ukraine electrical grid both in 2015 and 2016. It greatly differs from Stuxnet which was designed to cause slight changes in the controller code, accumulating over time to create substantial asset damage.

 

While the CrashOverride malware was targeted at the specific ICS systems supporting the Ukrainian Grid, the module nature of the kit and the understanding of the key protocols used in electric utilities enables it to be easily modified for use against different grids in other countries, and even repurposed for industrial control environments in other industries.

 

Claroty’s Ability to Detect CrashOverride

We have had several inbound questions from customers and partners about our ability to detect the malware. Following our analysis of publicly available information we can give a positive answer.

 

CrashOverride generates substantial anomalous network behavior. This includes, for example, establishing connections back to the adversary’s command and control (C2) infrastructure and communications with RTUs other controllers in the actual attack stages. Claroty detects these “baseline deviations” from standard traffic patterns and raises various alerts. Based on the publicly disclosed analysis of CrashOverride by ESET and confirmation by Dragos, we have created a table of the anomalous traffic that Claroty will alert on below.

 

CrashOverride Module/Purpose/Anomalous Activity

    Alert

Backdoor/RAT Module – gain persistent footprint on ICS network

 

Adversary had to establish an internal proxy on the local network before installation of the Backdoor/RAT component –

       Yes

Communication between Backdoor/RAT and internal proxy on TCP 3128 (default Squid proxy).

       Yes

Authentication between Backdoor/RAT and C2 server (over proxy) – HTTP POST with Windows GUID.

       Yes

HTTP Connect to C2 via internal proxy (external IPs that were active TOR/Darkweb nodes).

       Yes

Periodic beaconing to C2 server (frequency set by adversary) to retrieve new commands from C2 server.

       Yes

Launcher/Loader Modules – loads and executes payload that impacts the ICS and is used to cause destruction from a wiper capability

 

Host-based execution – no network traffic other  than when the initial backdoor file was downloaded to host in the initial stages of the attack.

       No

Data Wiper Module – Wipes host and bricks the Windows machine -- overwrites registry keys and configuration files locally and across all mapped network drives

 

In the sample this overwrites ICS configuration files across all mapped network drives, specifically targeting configuration files for ABB PCM600. Targets drives lettered C-Z.

       Yes (for mapped-drive based            
       communication)

 

 

Payload Modules – Uses specific protocols to change settings on RTU and open breakers. Various payload modules used for different types of electric grid/control center environments.

 

IEC 104 Payload – designed to target RTU with specific actions based on a configuration file that is purpose built for the target environment

 

Communications between infected host and master/slave RTUs

       Yes

Enumeration of target

       Yes

Changing information object addresses (IOAs)

       Yes

IEC 101 Payload - The main idea behind the 104 payload is relatively simple. It connects to the specified IP address and starts to send packets with the ASDU address that was defined in its configuration. The goal of this communication is to interact with an IOA of a single command type.

 

Operation Mode 1 “Range Mode” stage 1 - During the first stage, once the range of IOAs is obtained from the configuration le, the 104 payload connects to the target IP address and starts to iterate through the specified IOAs

       Yes

Operation Mode 1 “Range Mode” stage 2 - In the loop the payload constantly sends “select and execute” packets. In addition, if the option change is defined, the payload flips the On/Off state between loop steps.

       Yes

Operation Mode 2 “Shift Mode” – same as Range mode stage 1&2 above.

       Yes

Operation Mode 3 “Sequence Mode” - This payload immediately executes an infinite loop, sending “select and execute” packets to the IOAs defined in the configuration file.

       Yes

IEC 61850 Payload - Unlike the 101 and 104 payloads, this payload component exists as a standalone malicious tool.

 

 

The 61850 payload then enumerates all possible IP addresses for each of these subnet masks, and tries to connect to port 102 on each of those addresses.

 

       Yes

SIPROTEC DoS Module – Used to make SIPROTEC digital relay to be unresponsive

 

UDP packets sent to port 5000, exploiting CVE-2015-5374, causing digital relay to be unresponsive

       Yes

 

We stand at the ready to discuss any of the above / start a conversation about enabling real-time monitoring and anomaly detection inside your complex ICS network environment. The threat landscape is changing rapidly for ICS and we are committed to helping you outpace these adversaries.

 

Subscribe to Email Updates