Russia reportedly has cyberweapon that can disrupt power grids
Hackers allied with the Russian government have devised a cyberweapon that has the potential to be the most disruptive yet against electric systems that Americans depend on for daily life, according to U.S. researchers.
The malware, which researchers have dubbed CrashOverride, is known to have disrupted only one energy system — in Ukraine in December. In that incident, the hackers briefly shut down onefifth of the electric power generated in Kiev.
But with modifications, it could be deployed against U.S. electric transmission and distribution systems to devastating effect, said Sergio Caltagirone, director of threat intelligence for Dragos, a cybersecurity firm that studied the malware and is issuing a report on Monday.
And Russian government hackers have already shown their interest in targeting U.S. energy and other utility systems, researchers said.
“It’s the culmination of over a decade of theory and attack scenarios,” Caltagirone warned. “It’s a game changer.”
The revelation comes as the U.S. government is investigating a wide-ranging, ambitious effort by the Russian government last year to disrupt the U.S. presidential election.
Dragos has named the group that created the new malware Electrum, and has determined with high confidence that it used the same computer systems as the hackers who attacked the Ukraine electric grid in 2015. That attack, which left 225,000 customers without power, was carried out by Russian government hackers, other U.S. researchers concluded.
“The same Russian group that targeted U.S. (industrial control) systems in 2014 turned out the lights in Ukraine in 2015,” said John Hultquist, who analyzed both sets of incidents while at iSight Partners, a cyber intelligence firm now owned by FireEye, where he is director of intelligence analysis. Hultquist’s team had dubbed the group Sandworm.
“We believe that Sandworm is tied in some way to the Russian government — whether they’re contractors or actual government officials, we’re not sure,” he said. “We believe they are linked to the security services.”
The Department of Homeland Security, which works with the owners of the nation’s critical infrastructure systems, did not respond to a request for comment.
Energy-sector experts said that the new malware is cause for concern, but that the industry is seeking to develop ways to disrupt attackers who breach their systems.
“U.S. utilities have been enhancing their cybersecurity, but attacker tools like this one pose a very real risk to reliable operation of power systems,” said Michael Assante, who worked at Idaho National Labs and is former chief security officer of the North American Electric Reliability Corp.
CrashOverride is only the second instance of malware specifically tailored to disrupt or destroy industrial control systems. Stuxnet, the worm created by the United States and Israel to disrupt Iran’s nuclear enrichment capability, was an advanced military-grade weapon designed to affect centrifuges that enrich uranium.