Lights out: How Crash Override hits power grids -- hard

The malware is designed to take advantage of the world’s outdated power grids to shut off electricity in entire cities.

Alfred Ng
Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
3 min read

Ukraine has suffered multiple power outages thanks to cyberattacks. Researchers fear it's just the beginning.

Max Vetrov / AFP/Getty Images

The shutdown of Ukraine's power grid last year was just a warning shot for the world.

Say hello to Industroyer, a nasty bit of malware that also goes by the name Crash Override. It targets circuit breakers and is able to hijack electrical systems from afar by taking advantage of communication protocols for power supply infrastructure, transportation controls, and water and gas systems used all over the world, according to cybersecurity researchers who posted their discovery on Monday.

 Attacks on infrastructure like electrical grids, traffic lights and water systems can hit much closer to home than email breaches and data leaks. As technology grows smarter and helps manage our homes, cities and businesses, it's become a prime target for both criminal and nation-state hackers. In December, hackers caused an hour-long blackout in the Ukrainian capital of Kiev. 

The cyberattack-caused blackout in Kiev didn't lead to any disasters, but experts warn that it's only a preview of the future of cyberwarfare. After all, it was able to shut down one-fifth of the electric power that Ukraine's capital created.

Attacks targeting infrastructure can lead to chaos, like when engineers hacked into Los Angeles' traffic signal system and purposely created traffic jams. The researchers who discovered Industroyer warn it can be used to do significant damage to electrical power systems, and can be modified to hit other kinds of infrastructure. That makes it the biggest threat to industrial systems since Stuxnet in 2010.

"Attackers could adapt the malware to any environment, which makes it extremely dangerous," wrote Anton Cherepanov, a malware researcher at IT security company ESET. 

A successful hack could mean blocking the water supply, manipulating traffic signals to cause gridlock or cutting off vital services. There's no indication where Industroyer came from, whether it was from Russian hackers or other groups. As for Ukraine's shutdown, all signs indicate a nation-state was behind the attack.

Considering that attacks against electrical grids don't have any financial or espionage gains, they're most likely to create physical disruptions, said Alan Brill, a senior managing director for Kroll's Cyber Security & Investigations unit.

"We've already seen this in Ukraine. If you want to disrupt people's lives, shutting down the electricity is certainly one way to do it," Brill said.

Industroyer takes advantage of outdated industrial systems, which were never designed with security in mind, researchers from ESET said. It uses a backdoor attack after it's installed, and connects to a remote server to receive commands from the attackers.

The issue with the computers running our critical infrastructure is that they're easy to hijack if you can break into the network they're on, experts said. With a lifespan of 25 to 35 years, they're not updated often and don't get replaced for decades, said Galina Antova, co-founder of industrial security company Claroty.

Once an attacker is in the power grid's network, she said, everything is up for grabs. There are no passwords, authentication or encryption that an attacker would have to jump through to stop them.

"This is not rocket science. Anyone who knows how to hack into a network can do it," Antova said.

From the way Industroyer is written, ESET suspects the authors know a lot more about power grids than the average hacker.

"This malware is definitely the work of extremely dedicated, resourceful and capable attackers with deep knowledge of the architecture and systems in power grid substations," said Robert Lipovsky, an ESET researcher.

Its features are so hidden that the infected system believes everything is normal, and Industroyer wipes all its traces once the job is done. Some of its tricks include creating an additional backdoor, disguised as the Notepad application. It can also be written to only work during non-working hours, so people can't stumble across it in action.

Its "time bomb" feature lets the hackers coordinate and set off attacks simultaneously, potentially causing massive outages in multiple areas.

"The recent attack on the Ukrainian power grid should serve as a wake-up call for all those responsible for the security of critical systems around the world," Cherepanov said.

It's Complicated: This is dating in the age of apps. Having fun yet? These stories get to the heart of the matter.

Does the Mac still matter? Apple execs tell why the MacBook Pro was over four years in the making, and why we should care.