Today the Dragos, Inc. team is releasing a report titled CRASHOVERRIDE: Analyzing the Malware that
Power Grids. CRASHOVERRIDE is a malware framework that has not been disclosed before today but is
capability used in the cyber-attack on the Ukraine electric grid in 2016 (not the 2015 attack).
can also confirm that we are tracking the adversary group behind the attack as ELECTRUM and can
with high confidence the group has direct ties to the Sandworm Team which targeted infrastructure
in the United States and Europe in 2014 and Ukraine electric utilities in 2015. The report we are
today serves as an industry report to accompany the intelligence report our customers have received
the threat. The intelligence report goes into more technical exploration and ties together
details, but the industry report contains everything that defenders need to analyze the threat,
their systems, and understand the potential impact. The report will also educate on grid operations
try to illuminate the threat scenarios while reducing any hype and confusion on the impact.
The report may be found
directly without any requirement for submitting an email or
any personal information.
The purpose of this blog is to introduce some high-level items for everyone to be aware of
that do not have time to read the full report).
- The electric grid is extremely reliable. CRASHOVERRIDE represents alarming tradecraft and the
to disrupt operations, but the public must understand that the outages could be in hours or
not in weeks or months. The electric grid operators train regularly to restore power for
sized events such as weather storms. The first thank you that needs publicly stated is to those
and women responsible for having put the electric grid into a defensible situation through
dedication to reliability and safety of electric power.
- The Slovakian anti-virus firm ESET informed Dragos on June 8th, 2017 that they would be
report on June 12th on a piece of malware they identify as "Industroyer." The request was to
findings to reporters they were speaking to because Dragos has subject matter experts focused
ICS security. Dragos would like to recognize the good work by ESET and thank them for providing
with digital hashes of some samples of the malware which initiated our discovery of this new
- Dragos was able to confirm much of ESET's analysis and leveraged the digital hashes to find
samples and connections to a group we are tracking internally as ELECTRUM. Because of the new
connections to the threat group, numerous references to crash.dll in the malware, and our
that this is not industry-wide focused but specific to electric grid operations led the team
this malware CRASHOVERRIDE.
- The CRASHOVERRIDE malware is a framework that has modules specific to ICS protocol stacks
101, IEC 104, IEC 61850, and OPC. It is designed to allow the inclusion of additional payloads
as DNP3 but at this time no such payloads have been confirmed. The malware also contains
non-ICS specific modules such as a wiper to delete files and processes off of the running
for a destructive attack to operations technology gear (not physical destruction of grid
- The modules in CRASHOVERRIDE are leveraged to open circuit breakers on RTUs and force them into
loop keeping the circuit breakers open even if grid operators attempt to shut them. This is
causes the impact of de-energizing the substations. Grid operators could go back to manual
to alleviate this issue.
- The CRASHOVERRIDE malware appears to have not used all of its functionality and modules, and it
the Kiev transmission substation targeted in 2016 may have been more of a proof of concept
than a full demonstration of the capability in CRASHOVERRIDE.
- CRASHOVERRIDE's wiper searches for specific ABB files to delete off of a system, however, there
vulnerabilities in ABB that this malware takes advantage of; it is important to understand that
malware is sophisticated in its tradecraft because it takes advantage of the knowledge of grid
and is vendor independent. In our assessment, the vendor names associated with the Kiev site
insignificant details and vendors and configurations of the environment were not at fault.
- ESET's report cites a Siemens SIPROTEC denial of service based on a publicly disclosed 2015
However, we cannot confirm the existence of this module.
- There are concerning scenarios in how this malware can be leveraged to disrupt grid operations
result in hours of outages at targeted locations leading into a few days if done at multiple
However, it is important to know this is not a catastrophic scenario; there is no evidence the
actors could use CRASHOVERRIDE to do more than a few days of outages, and even to get a few
would require the targeting of multiple sites simultaneously which is entirely possible but not
CRASHOVERRIDE is an extremely concerning capability but should not be taken with any "doom and
type scenarios. Everything past single substation events and small islanding events of
a few multiple locations is purely speculation and not worth discussion at this time.
Indicators of compromise for the CRASHOVERRIDE malware can be found in the industry report.
compromise are available, but the most important thing for security teams to watch for is malicious
and set patterns associated with the ICS communications. Dragos Platform customers detect
and other similar tradecraft within an ICS network through a dozen new behavioral analytics and
intelligence context. Follow on intelligence reports will keep customers up-to-date with the threat
and capability as the situation evolves. The Dragos, Inc. team and ESET will also break down what
known to the public for the first time together at
joint talk at the BlackHat conference.
Back to Blog