I will not spread too much. After reading the CrashOverride report by Dragos (Good Job!!), some points show to be very clear:
- It's not a malware for espionage purposes. There's no data exfiltration function in the malware.
- It's more likely to be a destroyer malware (thus the Industroyer name), as there's a wiper module that "renders unusable" the systems where it run.
- It has been clearly showed that this was the malware that caused the power disruption in Ukrayne in December 2016.
- In a context of war in Ukrayne, it seems pretty clear who were the developers of CrashOverride.
- This piece of malware relays on 4 industrial protocols to attack the power plant (IEC104, IEC101, IEC61850 and OPC-DA)
- After Dragos and ESET reports it appears that, appart from the main team, a second team helped in developing the protocol modules
- The malware looked and removed a specific type of industrial logic projects. The projects written with ABB PCM 600. It's very clear the knew what they were doing. They knew perfectly the plant and its processes
- The strategy followed by the attackers was a little bit naive. It just sent values to PLC registers, for opening breakers, de-energizing thus the power plant.
- However, if the infected system is turned down, an operator will be able to recover the power plant energy very quickly.
- The malware did not have spreading features and the only way to persist was modifying a running service (svcdefrag) so that it can persist between restarts. However this is a little bit naive perstance method. It wasn't their purpose to persist too much time...
- Strange enough, malware samples were compiled at 2:30 of December 18th (surely a fake time) while they were used on the attacks just before midnight of December 17th in Ukraine. This apparent inconsistency can be explained if the malware was compiled three time zones before the ukraine's one.
- Another point that show that it was specially tailored for a specific power plant is that it attacked a specific Siemens protective asset (a Siemens Siprotec relay). Unfortunately since July 2015 these device lack a vulnerability that remains them unsable. Although a firmware update was published to fix this issue, clearly the ukrainian power plant did not fix hteir security problems.
To summarize:
It seems a tailored malware for specific power plant that was not intended to remain undiscovered. It was developed quickly and sent to the victim systems just a few menutes after being compiled. It was probably just a proof of concept and only the specific protocol modules could be used in future attacks.
The malware purpose was not industrial espionage but destruction. In a context of war between Russia and Ukraine and given that it seems to have been compiled two-three time zone east of Ukraine, it seems clear where this malware come from.
