Ukraine Malware Blackouts and The Physical Threats of Cyber Warfare

image provided by pixabay

This post is also available in: עברית (Hebrew)

Back in 2016, Ukraine experienced the first-ever known malware-caused blackout that affected a fifth of Kyiv’s citizens. Six years later, during the early stages of the Russia-Ukraine war, a second attack attempted to combine kinetic and cyber attacks to topple Ukraine’s power grid.

These first of their kind malware-caused blackouts warn us of the evolution of cyberattacks and highlight the need to better understand and defend against this type of malware.

A new study from UC Santa Cruz looks into these unique attacks dubbed Industroyer One (2016) and Two (2022) and analyzes how they operated and interacted with the physical power system equipment. Associate Professor of Computer Science and Engineering Alvaro Cardenas, who advised the paper, said: “I want to emphasize how vulnerable our systems are—I don’t know why this hasn’t been more impactful in terms of security awareness, and also policy and planning. When you see a nation state designing malware to take down the power grid of another country, that seems to be a big deal. Our critical infrastructures are vulnerable to these kinds of attacks, so we need to be better prepared to defend.”

According to Techxplore, the study details exactly how the malware interacted with the physical world in both of the mentioned attacks. The researchers obtained copies of the malware and built a “sandbox” software environment that tricked the malware into thinking it was within the industry-specific environment of the Ukrainian power grid, so the researchers could understand exactly how it interacted with the system.

Using this sandbox, the researchers found similarities between the attacks but observed a clear evolution in the malware. Both attacks were completely automated (meaning that there was no human involvement after deployment) and breached areas of the power grid that were designed to be disconnected from the internet for higher security.

Industroyer One could attack both older and more modern systems, was developed without a specific target and could attack directly from within a grid substation or from the control center hundreds of miles away. However, it did have a significant number of bugs and did not always work.

Industroyer Two was developed with its specific targets “baked” into its malware. The researchers report it was targeting three IP addresses that coordinated with specific devices, presumably to control circuit breakers in specific substations. It also did not have the bugs of its previous version.

This evolution observed by the researchers shows that malware attacks are becoming increasingly stealthier. While both attacks targeted computer control centers, the researchers believe future attackers could try to control “intelligent electronic devices” (IEDs) that are embedded within the systems themselves.

This information was provided by Techxplore.