TORONTO – Two cybersecurity firms have uncovered malicious software that they believe caused a December 2016 Ukraine power outage, they said on Monday, warning that the malware could be easily modified to harm critical infrastructure operations around the globe.
ESET, a Slovakian anti-virus software maker, and Dragos Inc., a U.S. critical-infrastructure security firm, released detailed analyses of the malware, known as Industroyer or Crash Override, and issued private alerts to governments and infrastructure operators to help them defend against the threat.
They said they did not know who was behind the cyberattack. Ukraine has blamed Russia, though officials in Moscow have repeatedly denied blame.
Still, the security firms warned there could be more attacks using the same approach, either by the group that built the malware or copycats who modify the malicious software.
“The malware is really easy to re-purpose and use against other targets. That is definitely alarming,” said ESET malware researcher Robert Lipovsky said in a telephone interview. “This could cause wide-scale damage to infrastructure systems that are vital.”
Dragos founder Robert M. Lee said the malware was capable of attacking power systems across Europe and could be leveraged against the United States “with small modifications.”
It is able to cause outages of up to a few days in portions of a nation’s grid, but is not potent enough to bring down a country’s entire grid, Lee said by phone.
With modifications, the malware could attack other types of infrastructure including local transportation providers, water and gas providers, Lipovsky said.
News of the discovery prompted the U.S. Department of Homeland Security to advise all critical infrastructure operators to make sure they were following recommended security practices.
The agency is working with the researchers and industry on the issue and would help firms identify vulnerabilities and respond to any suspected breaches as needed, spokesman Scott McConnell said via email.
Power firms are concerned there will be more attacks, Alan Brill, a leader of Kroll’s cybersecurity practice, said in a telephone interview.
“You are dealing with very smart people who came up with something and deployed it,” Brill said. “It represents a risk to power distribution organizations everywhere.”
Industroyer is only the second piece of malware uncovered to date that is capable of disrupting industrial processes without the need for hackers to manually intervene after gaining remote access to the infected system.
The first, Stuxnet, was discovered in 2010 and is widely believed by security researchers to have been used by the United States and Israel to attack Iran’s nuclear program.
A spokesman for Ukraine’s state cyber police said it was not clear whether the malware was used in the December 2016 attack because the security firms had not provided authorities with the samples they had analyzed.
Representatives with Ukraine’s state-run Computer Emergency Response Team, which advises businesses on defending against cyberattacks, did not immediately respond to requests for comment.
The Kremlin and Russia’s Federal Security Service did not immediately reply to requests for comment.
Crash Override can be detected if a utility specifically monitors its network for abnormal traffic, including signs that the malware is searching for the location of substations or sending messages to switch breakers, according to Lee, a former U.S. Air Force cyberwarfare operations officer.
Malware has been used in other disruptive attacks on industrial targets, including the 2015 Ukraine power outage, but in those cases human intervention was required to interfere with operations.
ESET said it had been analyzing the malware for several months and had held off on going public to preserve the integrity of investigations into the power system hack.
It said it last week shared samples with Dragos, which said it was able to independently verify that it was used in the Ukraine grid attack.