Reviewing previously unavailable data covering log, forensics, and various incident data, this paper will outline the CRASHOVERIDE attack in its entirety, from breach of the ICS network through delivery and execution of ICS-specific payloads.
CRASHOVERRIDE is the first publicly-known malware designed to impact electric grid operations. While some attention has already been paid to CRASHOVERRIDE’s ICS-specific effects, the broader scope of the attack – and the necessary prerequisites to its execution – have been woefully unexamined. Reviewing previously unavailable data covering log, forensics, and various incident data, this paper will outline the CRASHOVERIDE attack in its entirety, from breach of the ICS network through delivery and execution of ICS-specific payloads. This examination will show that, aside from the requirement to develop and deploy ICS-targeting software for final effects, CRASHOVERRIDE largely relied upon fairly standard intrusion techniques in order to achieve its results. By understanding this methodology and how these techniques can be monitored and detected, ICS asset owners and defenders can begin identifying detection and visibility gaps to catch such techniques in the future. While CRASHOVERRIDE represents an effectively new application of malware to produce a physical impact, the underlying techniques for intrusion and deployment would be immediately recognizable to a junior penetration tester. In demystifying this attack, defenders and testers can gain greater appreciation for both the existing vulnerabilities within electric grid operations and the steps required to build effective defenses.
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE was originally presented at Virusbulletin Montreal, Quebec, Canada on October 4th, 2018: https://www.virusbulletin.com/conference/vb2018/.