The Industroyer worm is aimed at taking control of electricity substation switches and circuit breakers directly using standard industrial communication protocols say researchers at ESET.
The modular software is based around is a backdoor that is used by attackers to manage the attack and then installs and controls the other components, connecting to a remote server to receive commands and to report to the attackers.
Industroyer uses four payload components to gain direct control of switches and circuit breakers at an electricity distribution substation, says Anton Cherepanov, senior malware researcher at ESET.
Generally, the payloads work in stages whose goals are mapping the network, and then figuring out and issuing commands that will work with the specific industrial control devices.
The payloads use the communication protocols from IEC 60870-5-101, IEC 60870-5-104, IEC 61850, and OLE for Process Control Data Access (OPC DA).
The researchers dismantled the code and found features designed to enable it to remain under the radar and wipe all traces of itself after it has done its job.
The wiper module is designed to erase system-crucial Registry keys and overwrite files to make the system unbootable and the recovery harder. Of interest is the port scanner that maps the network, trying to find relevant computers: the attackers made their own custom tool instead of using existing software.
By Nick Flaherty www.flaherty.co.uk
See more about the ABB and Siemens systems that have been targetted at Malware targets electricity grids | EETE Power Management
- Top 11 security technologies in 2017
- Barco Silex and Imagination collaborate on IoT chip security
- Two factor security IP designed into IoT microcontroller
- Infineon teams with Mocana for network security