Industroyer breakdown: Q&A with ESET Malware Researcher Robert Lipovsky

Next story

At the end of December 2016, Kiev, the Ukrainian capital, was hit by a blackout that lasted nearly 75 minutes. Local investigators later confirmed that the energy outage was caused by a cyberattack. Shortly thereafter, ESET researchers analyzed a sophisticated new malware, and published their finding on June 12, 2017. ESET calls this threat Industroyer, and experts agree this is the biggest threat to Industrial Control Systems (ICS) since Stuxnet. This dangerous malware was developed to exploit vulnerabilities in those systems and the communication protocols they use – systems developed decades ago with almost no security measures. 

ESET Malware Researcher Robert Lipovsky provides insight below about this threat. (Read below, or watch the video interview here.)

What is Industroyer?

Industroyer is a malicious tool in the hands of a very dedicated, well-funded and persistent attacker. The malware is able to persist in the compromised network and directly interfere with critical working processes in that facility.

How dangerous is Industroyer?

The potential damage depends on the configuration of that particular facility and can vary, for example, from one substation to another, and can be anything from a simple local blackout, through to cascading failures, or potentially to even greater damage to hardware.

How is this possible?

The biggest problem, however, is that these industrial systems and the communication protocols that they are using – that Industroyer is targeting – are used worldwide and were developed decades ago without security in mind.

Why is Industroyer compared to Stuxnet?

The gang behind Stuxnet definitely knew what they were doing. They were targeting the Iranian nuclear program. The malware was able to take direct control of centrifuges at nuclear facilities.

The same applies to Industroyer, or the gang behind it. They have demonstrated deep knowledge of Industrial Control Systems, and within the malware they implemented functions which are able to directly communicate with the switches and circuit breakers used in power grid substations.

Is Industroyer responsible for the blackouts in Ukraine?

The larger blackout happened in December 2015, where around 250,000 households in several regions in the country went without power for several hours. This was facilitated by malware called Black Energy. In December 2016, almost exactly one year later, there was another blackout. Smaller in scale and lasting only one hour, it hit only one region, but was conducted with a more advanced malware. That is Industroyer, which is suspected to be the cause in this case.

Who is responsible for this attack?

Attribution of these types of attacks is always tricky and often impossible. This time there are no clues to point in any direction, and we do not want to speculate of course.

What is the main take-away from the analysis of Industroyer?

The relatively low impact of the recent blackout stands in great contrast to the technical level and the sophistication of the suspected malware behind Industroyer. So, the possible explanation for this – which is the opinion of many security researchers – is that this was a large-scale test.

Whether or not that is true, the main take-away from this analysis should be that this is a wakeup call for all those responsible for the security of critical infrastructure systems worldwide.