CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack
Upon discovery and initial analysis in mid-2017, audiences primarily viewed CRASHOVERRIDE as a disruptive event targeting electric utility operations in Ukraine. Similar to the 2015 attack in the same area, CRASHOVERRIDE interrupted the flow of electricity by manipulating ICS equipment and delayed recovery operations to prolong the impact. However, CRASHOVERRIDE’s immediate effects represent only the precursors for an attempt at a more ambitious attack than what was achieved. In addition to significantly expanded scope in power disruption, CRASHOVERRIDE differentiates itself from the 2015 event by attempting to disable protective relay devices involved in the targeted operations through a denial of service (DoS) attack. The attack as implemented failed, but the most-likely intention behind this action and its implications for electric utility operations and protection have received little attention or analysis.
This paper reexamines this phase of the CRASHOVERRIDE event and likely attacker intentions, even if actual execution failed. It will highlight how CRASHOVERRIDE attempted a different type of attack than 2015 by disrupting electric power operations only as an initial step toward setting up a protection-focused attack on transmission operations, with disabling protective gear as a final attack phase to introduce possible physical destruction via cyber means.
Discover more resources.
Explore more resources to support you on your ICS cybersecurity journey.
Read our next whitepaper
See the Dragos Platform in Action
Take the next step to protect your OT environment now with a free demo