Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Industroyer: biggest threat to industrial control systems since Stuxnet by Anton Cherepanon, Róbert Lipovský

766 views

Published on

Industroyer is the first ever malware specifically designed to attack power grids. This unique and extremely dangerous malware framework was involved in the December 2016 blackout in Ukraine. What sets Industroyer apart from other malware targeting infrastructure, such as BlackEnergy (a.k.a. SandWorm), is its ability to control switches and circuit breakers directly via 4 different industrial communication protocols.
In addition to explaining why Industroyer can be considered the biggest threat to industrial control systems since the infamous Stuxnet worm, we will take a look at the 2016 power outage in the context of the other numerous cyberattacks against Ukrainian critical infrastructure in the recent years.
As the protocols and hardware targeted by Industroyer are employed in power supply infrastructure, transportation control systems, and other critical infrastructure systems, like water and gas, worldwide, the malware can be re-purposed to target vital services in other countries. This discovery should serve as a wake-up call for those responsible for security of these critical systems.


Anton Cherepanov
Anton Cherepanov is currently working at ESET as Senior Malware Researcher; his responsibilities include the analysis of complex threats. He has done extensive research on cyber-attacks in Ukraine. His research was presented on numerous conferences, including Virus Bulletin, CARO Workshop, PHDays, and ZeroNights. His interests focus on reverse engineering and malware analysis automation.

Róbert Lipovský
Róbert Lipovský is Senior Malware Researcher in ESET’s Security Research Laboratory, with 10 years’ experience with malware research. He is responsible for malware intelligence and analysis and leads the Malware Research team in ESET’s HQ in Bratislava. He is a regular speaker at security conferences, including Black Hat, Virus Bulletin, and CARO. He runs a reverse engineering course at the Slovak University of Technology, his alma mater and the Comenius University. When not bound to a keyboard, he enjoys sports, playing guitar and flying an airplane.

Published in: Devices & Hardware
  • Be the first to comment

Industroyer: biggest threat to industrial control systems since Stuxnet by Anton Cherepanon, Róbert Lipovský

  1. 1. INDUSTROYER Anton Cherepanov / @cherepanov74 Robert Lipovsky / @Robert_Lipovsky
  2. 2. Robert Lipovsky Senior Malware Researcher @Robert_Lipovsky Anton Cherepanov Senior Malware Researcher @cherepanov74
  3. 3. ICS-targeting malware The story of INDUSTROYER: Ukrainian blackout INDUSTROYER analysis Potential impact AGENDA
  4. 4. ICS MALWARE OPERATOR INDUSTRIAL SITEINTERNET ICS-targeting malware
  5. 5. ICS INDUSTROYER MALWARE OPERATOR INDUSTRIAL SITEINTERNET POWER DISTRIBUTION COMPANY Industroyer
  6. 6. STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016
  7. 7. STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016
  8. 8. STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016
  9. 9. STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016
  10. 10. STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016 23 Dec 2015
  11. 11. STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016 C&C Network Scanner File Stealer Password Stealer Keylogger Screenshots Network Discovery BlackEnergy CORE
  12. 12. STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016
  13. 13. STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016
  14. 14. Blackout in Ukraine ESET begins analysis Initial report finished Further research Industroyer report goes public 17 Dec 2016 A few days later 12 Jun 201718 Jan 2017 STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016 INDUSTROYER
  15. 15. Main Backdoor ICS INDUSTROYER MALWARE OPERATOR INDUSTRIAL SITEINTERNET POWER DISTRIBUTION COMPANY Industroyer
  16. 16. Main Backdoor Main Backdoor Main backdoor – List of commands Execute process Execute process using specified user account Download file from C&C server Copy & upload file Execute shell command Execute shell command using specified user account Quit Stop service Stop service using specified user account Start service using specified user account Replace "Image path" registry value for specified service
  17. 17. Main Backdoor Main Backdoor Main backdoor – List of commands Execute process Execute process using specified user account Download file from C&C server Copy & upload file Execute shell command Execute shell command using specified user account Quit Stop service Stop service using specified user account Start service using specified user account Replace "Image path" registry value for specified service Copy & upload file
  18. 18. MAIN BACKDOOR -> VBS -> MS SQL -> CSCRIPT -> VBS
  19. 19. Set cmd = CreateObject("ADODB.Command") cmd.ActiveConnection = mConnection cmd.CommandText = "BEGIN EXEC sp_configure 'show advanced options', 1;RECONFIGURE; EXEC sp_configure 'Ole Automation Procedures', 1;RECONFIGURE; END;" cmd.Execute cmd.CommandText = "BEGIN EXEC sp_configure 'show advanced options', 1;RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE; END;" cmd.Execute
  20. 20. Main Backdoor Main Backdoor Main backdoor – List of commands Execute process Execute process using specified user account Download file from C&C server Copy & upload file Execute shell command Execute shell command using specified user account Quit Stop service Stop service using specified user account Start service using specified user account Replace "Image path" registry value for specified service Replace "Image path" registry value for specified service
  21. 21. Main Backdoor Main Backdoor DOS TOOL Port ScannerPort Scanner Additional Backdoor EXEC xp_cmdshell 'C:intelport.exe -ip=%IP_ADDRESS% -ports= 2404, 21845, 445, 135'; 135 - RPC Locator service 445 – SMB 2404 - IEC 60870-5-104 21845 - webphone 700 – Extensible Provisioning Protocol over TCP 701 – Link Management Protocol 1433 – MS SQL Server default port 1521 – nCube License Manager / Oracle dB
  22. 22. DOS TOOL Main Backdoor Main Backdoor Port ScannerPort Scanner Additional Backdoor Launcher
  23. 23. Malware impact: PAYLOADS
  24. 24. Malware impact: PAYLOADS
  25. 25. Malware impact: PAYLOADS
  26. 26. DOS TOOL 101 Payload 104 Payload 61850 Payload OPC DA Payload Main Backdoor Main Backdoor Port Scanner 17 Dec 2016 - 22:27 (UTC) Launcher Additional Backdoor
  27. 27. 101 Payload 104 Payload 61850 Payload • Serial • IOA (Information Object Address) ranges • single command (C_SC_NA_1) • double command (C_DC_NA_1) • OFF -> ON -> OFF OPC DA Payload
  28. 28. • TCP/IP • Modes: • Range • Shift • Sequence 101 Payload 104 Payload 61850 Payload OPC DA Payload
  29. 29. 101 Payload 104 Payload 61850 Payload OPC DA Payload
  30. 30. 101 Payload 104 Payload 61850 Payload OPC DA Payload
  31. 31. 101 Payload 104 Payload 61850 Payload OPC DA Payload
  32. 32. 101 Payload 104 Payload 61850 Payload OPC DA Payload • Auto-discovery • CSW, CF, Pos, and Model • CSW, ST, Pos, and stVal • CSW, CO, Pos, Oper, but not $T • CSW, CO, Pos, SBO, but not $T
  33. 33. 101 Payload 104 Payload 61850 Payload OPC DA Payload • Discovers OPC servers • COM interfaces: • IOPCServer • IOPCBrowseServerAddressSpace • IOPCSyncIO • ctlSelOn (Select on command) • ctlSelOff (Select off command) • ctlOperOn (Operate on command) • ctlOperOff (Operate off command) • Pos and stVal (Switch position status)
  34. 34. 101 Payload 104 Payload 61850 Payload OPC DA Payload
  35. 35. 101 Payload 104 Payload 61850 Payload OPC DA Payload Github: https://github.com/eset/malware-research/tree/master/industroyer • Identifies OPC Data Access LIBIDs, CLSIDs, IIDs in binary • Creates OPC DA structures and enums in IDA Pro • Can be used for general purpose reverse engineering
  36. 36. 101 Payload 104 Payload 61850 Payload OPC DA Payload Before
  37. 37. 101 Payload 104 Payload 61850 Payload OPC DA Payload After
  38. 38. Malware impact: DENIAL OF SERVICE
  39. 39. Malware impact: DATA WIPER
  40. 40. DOS TOOL 101 Payload 104 Payload 61850 Payload OPC DA Payload Main Backdoor Main Backdoor Port Scanner Launcher Additional Backdoor Data Wiper
  41. 41. ABB PCM600 ABB MicroScada Signal Cross References Substation Configuration Language Substation Configuration Description Configured IED Description
  42. 42. ! Global Threat ! Dangerous Attacker ! Unfulfilled potential TAKE AWAYS
  43. 43. Thank you! Questions? @cherepanov74 @Robert_Lipovsky

×