Industroyer: The biggest threat to industrial control systems since Stuxnet

Anton Cherepanov , Senior Malware Researcher , ESET

Robert Lipovsky , Senior Malware Researcher , ESET

Industroyer is the first ever malware specifically designed to attack power grids. This unique and extremely dangerous malware framework was involved in the December 2016 blackout in Ukraine.
This was the second time in history that a cyberattack – using malware – caused a mass scale power outage; the first being the blackout in December 2015, which involved the use of BlackEnergy.
But the aspect that significantly sets Industroyer apart from other malware targeting infrastructure, such as BlackEnergy, or Havex, for example, is its ability to control switches and circuit breakers directly via 4 different industrial communication protocols. In other words, the attackers had made the effort to create a malware framework that ‘speaks’ the language of the specialized industrial hardware at the targeted electricity distribution substation.

The talk will cover a detailed analysis of Industroyer’s malicious payloads that directly interfere with the targeted industrial control systems – whether it’s for sending commands to so-called Intelligent Electronic Devices, launching a Denial-of-Service attack against equipment, or wiping data to cover the attackers’ tracks and make restoration from the attack more difficult. Also, we will outline the noteworthy features of supporting modules responsible for command & control communication, persistence, and so on.

In addition to explaining why Industroyer can be considered the biggest threat to industrial control systems since the infamous Stuxnet worm, we will take a look at the 2016 power outage in the context of the other numerous cyberattacks against Ukrainian critical infrastructure in the recent years.

We will also assess the attackers’ motivations and what this threat means to utilities around the world. As the protocols and hardware targeted by Industroyer are employed in power supply infrastructure, transportation control systems, and other critical infrastructure systems, like water and gas, worldwide, the malware can be re-purposed to target vital services in other countries. This discovery should serve as a wake-up call for those responsible for security of these critical systems.

Anton Cherepanov

Anton Cherepanov is currently working at ESET as Senior Malware Researcher; his responsibilities include the analysis of complex threats. He has done extensive research on cyber-attacks in Ukraine. His research was presented on numerous conferences, including Virus Bulletin, CARO Workshop, PHDays, and ZeroNights. His interests focus on reverse engineering and malware analysis automation.

Robert Lipovsky

Robert Lipovsky is Senior Malware Researcher in ESET’s Security Research Laboratory, with 10 years’ experience with malware research. He is responsible for malware intelligence and analysis and leads the Malware Research team in ESET’s HQ in Bratislava. He is a regular speaker at security conferences, including Black Hat, Virus Bulletin, and CARO. He runs a reverse engineering course at the Slovak University of Technology, his alma mater and the Comenius University. When not bound to a keyboard, he enjoys sports, playing guitar and flying an airplane.