Industroyer/Crashoverride: Zero Things Cool About a Threat Group Targeting the Power Grid

Presented at Black Hat USA 2017, July 26, 2017, 11:15 a.m. (50 minutes).

<p>The cyber attack on Ukraine’s power grid on December 17<sup>th</sup>, 2016 was the second time in history a power grid had been disrupted due to a digital attack. The first was Ukraine December 23<sup>rd</sup>, 2015. But unlike the 2015 attack, not much details have been public about the threat that faced the power grid in 2016 until now. In June, 2017 ESET released a report on a malware sample they identified as Industroyer. They passed the sample ahead of time to Dragos, Inc. who focused on the industrial control system (ICS) aspects of the malware and revealed new functionality that spelled a nightmare scenario for power grid operators: ICS tailored malware capable of disrupting grid operations at scale in environments independent of system choices. Dragos identified the malware family and new functionality as CRASHOVERRIDE.</p>This talk will walk through the Ukraine 2015 and Ukraine 2016 events with a central focus on the malware, technical analysis of it, and the impact to grid operations. There have only been three other pieces of ICS tailored malware publicly revealed before (Stuxnet, Havex, and BlackEnergy2) making this malware of particular interest in the community. The fact that it could be re-purposed immediately to target grids around Europe and with simple modifications target grids in the United States marks a hallmark event. Defense is doable and our grid operators are actively defending our infrastructure. But learning from such a significant threat is vital to making sure our defensible systems stay defended.

Presenters:

  • Anton Cherepanov - Senior Malware Researcher, ESET
    Anton Cherepanov is currently working at ESET as Senior Malware Researcher; his responsibilities include the analysis of complex threats. He has done extensive research on cyber-attacks in Ukraine and BlackEnergy malware. His research was presented on numerous conferences, including Virus Bulletin, CARO Workshop, PHDays, and ZeroNights. His interests focus on IT security, reverse engineering and malware analysis automation.
  • Ben Miller - Director, Threat Operations Center, Dragos, Inc.
    Ben Miller is Director, Threat Operations Center at the industrial cyber security company Dragos, Inc. where he leads a team of analysts in performing active defense inside of ICS/SCADA networks. In this capacity he is responsible for performing a threat hunting, incident response, and malware analysis mission for the industrial community. Previous to his role at Dragos, Inc. Ben was the Associate Director, Electricity Information Sharing & Analysis Center (Electricity ISAC) and led cyber analysis for the sector. He and his team focused on leading edge cyber activities as they relate to the North American bulk electric system. Ben was recognized as instrumental in building new capabilities surrounding information sharing and analytics in his five years at the E-ISAC. Prior to joining the E-ISAC, Ben built and led a team of 9 focused on Network Security Monitoring, forensics, and incident response at a Fortune 150 energy firm. His team received numerous accolades from industry and law enforcement. During this time he also served in a CIP implementation project and various enterprise-wide mitigation programs. Ben has over 18 years' experience and currently holds the CISSP and GIAC GREM certifications. Ben has served in various roles including both planner and player roles in GridEx I, II, and III. He served as a member of the NERC Cyber Attack Task Force, an acknowledged contributor to NIST SP 800-150, a panel member of the NBISE Advanced Defender panel, and adviser on CI Advanced Defender Training program. Ben is an accomplished speaker in various venues including SANS, ICSWJG, ShmooCon and others. Ben also helps run Charmsec; an informal 'citysec-style meet up' located in Baltimore. He can be found on Twitter @ElectricFork
  • Joe Slowik - Senior Threat Analyst, Dragos, Inc.
    Joe Slowik is a Senior Threat Analyst at Dragos, Inc. and has extensive network security and computer network operations experience spanning the military, intelligence, and nuclear communities. Joe served as an Information Warfare Officer in the US Navy from 2009 to 2014, where he took part in various operations from Afghanistan to the Pacific Ocean bringing cybersecurity and network operations expertise to deployed units. Following his military service, Joe moved to Los Alamos National Laboratory (LANL), working as a threat and malware analyst and leading the incident response team. While at LANL, Joe led efforts to completely revise threat hunting and intelligence operations to make network security more agile and responsive to the threat environment, such as tracking network infrastructure creation and malware development by nation state actors of interest. He may be found on Twitter @jfslowik
  • Robert M. Lee - CEO, Dragos, Inc.   as Robert Lee
    Robert M. Lee is the CEO and founder of the industrial cybersecurity firm Dragos, Inc. He is a well-respected authority on industrial control system cyber security and threat analysis and has authored numerous best practices, training courses (SANS ICS515 and SANS FOR578), and frameworks for the industry to use. Robert obtained his start in cyber security in the U.S. Air Force where he served as a Cyber Warfare Operations Officer. He has performed defense, intelligence, and attack missions in various government organizations including the establishment of a first-of-its-kind ICS/SCADA cyber threat intelligence and intrusion analysis mission. He may be found on Twitter @RobertMLee
  • Robert Lipovsky - Senior Malware Researcher, ESET
    Robert Lipovsky is Senior Malware Researcher in ESET's Security Research Laboratory, with 10 years' experience with malware research. He is responsible for malware intelligence and analysis and leads the Malware Research team in ESET's HQ in Bratislava. He is a regular speaker at security conferences, including Virus Bulletin, CARO, CCCC, and AVAR. He runs a reverse engineering course at the Slovak University of Technology, his alma mater and the Comenius University. When not bound to a keyboard, he enjoys sports, playing guitar and flying an airplane.

Links:

Similar Presentations: