Featured : Industry News
Today the Dragos, Inc. team is releasing a report titled CRASHOVERRIDE: Analyzing the Malware that
Attacks Power Grids. CRASHOVERRIDE is a malware framework that has not been disclosed before today but
is the capability used in the cyber-attack on the Ukraine electric grid in 2016 (not the 2015 attack).
Dragos can also confirm that we are tracking the adversary group behind the attack as ELECTRUM and can
assess with high confidence the group has direct ties to the Sandworm Team which targeted infrastructure
companies in the United States and Europe in 2014 and Ukraine electric utilities in 2015. The report we
are releasing today serves as an industry report to accompany the intelligence report our customers have
received on the threat. The intelligence report goes into more technical exploration and ties together
sensitive details, but the industry report contains everything that defenders need to analyze the
threat, defend their systems, and understand the potential impact. The report will also educate on grid
operations and try to illuminate the threat scenarios while reducing any hype and confusion on the
The report may be found here
directly without any requirement for submitting an email or any
The purpose of this blog is to introduce some high-level items for everyone to be aware of (especially
those that do not have time to read the full report).
- The electric grid is extremely reliable. CRASHOVERRIDE represents alarming tradecraft and the
ability to disrupt operations, but the public must understand that the outages could be in hours or
days not in weeks or months. The electric grid operators train regularly to restore power for
similar sized events such as weather storms. The first thank you that needs publicly stated is to
those men and women responsible for having put the electric grid into a defensible situation through
their dedication to reliability and safety of electric power.
- The Slovakian anti-virus firm ESET informed Dragos on June 8th, 2017 that they would be releasing
their report on June 12th on a piece of malware they identify as "Industroyer." The request was to
validate findings to reporters they were speaking to because Dragos has subject matter experts
focused on ICS security. Dragos would like to recognize the good work by ESET and thank them for
providing us with digital hashes of some samples of the malware which initiated our discovery of
this new capability.
- Dragos was able to confirm much of ESET's analysis and leveraged the digital hashes to find other
undisclosed samples and connections to a group we are tracking internally as ELECTRUM. Because of
the new functionality, connections to the threat group, numerous references to crash.dll in the
malware, and our analysis that this is not industry-wide focused but specific to electric grid
operations led the team named this malware CRASHOVERRIDE.
- The CRASHOVERRIDE malware is a framework that has modules specific to ICS protocol stacks including
IEC 101, IEC 104, IEC 61850, and OPC. It is designed to allow the inclusion of additional payloads
such as DNP3 but at this time no such payloads have been confirmed. The malware also contains
additional non-ICS specific modules such as a wiper to delete files and processes off of the running
system for a destructive attack to operations technology gear (not physical destruction of grid
- The modules in CRASHOVERRIDE are leveraged to open circuit breakers on RTUs and force them into an
infinite loop keeping the circuit breakers open even if grid operators attempt to shut them. This is
what causes the impact of de-energizing the substations. Grid operators could go back to manual
operations to alleviate this issue.
- The CRASHOVERRIDE malware appears to have not used all of its functionality and modules, and it
appears the Kiev transmission substation targeted in 2016 may have been more of a proof of concept
attack than a full demonstration of the capability in CRASHOVERRIDE.
- CRASHOVERRIDE's wiper searches for specific ABB files to delete off of a system, however, there are
no vulnerabilities in ABB that this malware takes advantage of; it is important to understand that
the malware is sophisticated in its tradecraft because it takes advantage of the knowledge of grid
operations and is vendor independent. In our assessment, the vendor names associated with the Kiev
site are insignificant details and vendors and configurations of the environment were not at fault.
- ESET's report cites a Siemens SIPROTEC denial of service based on a publicly disclosed 2015
vulnerability. However, we cannot confirm the existence of this module.
- There are concerning scenarios in how this malware can be leveraged to disrupt grid operations that
would result in hours of outages at targeted locations leading into a few days if done at multiple
sites. However, it is important to know this is not a catastrophic scenario; there is no evidence
the ELECTRUM actors could use CRASHOVERRIDE to do more than a few days of outages, and even to get a
few days, would require the targeting of multiple sites simultaneously which is entirely possible
but not trivial. CRASHOVERRIDE is an extremely concerning capability but should not be taken with
any "doom and gloom" type scenarios. Everything past single substation events and small islanding
events of targeting a few multiple locations is purely speculation and not worth discussion at this
Indicators of compromise for the CRASHOVERRIDE malware can be found in the industry report. Indicators of
compromise are available, but the most important thing for security teams to watch for is malicious
behaviors and set patterns associated with the ICS communications. Dragos Platform customers detect
CRASHOVERRIDE and other similar tradecraft within an ICS network through a dozen new behavioral
analytics and associated intelligence context. Follow on intelligence reports will keep customers
up-to-date with the threat actor and capability as the situation evolves. The Dragos, Inc. team and ESET
will also break down what is known to the public for the first time together at our
joint talk at the BlackHat conference.
Back to Blog