35. 101ペイロード 104ペイロード
61850
ペイロード
OPC DA
ペイロード
• Auto-discovery
• CSW, CF, Pos, and Model
• CSW, ST, Pos, and stVal
• CSW, CO, Pos, Oper, but not $T
• CSW, CO, Pos, SBO, but not $T
It’s good to see all of you here today… Literally. Meaning the lights are on.
Because today we’re speaking about Industroyer – malware capable of causing a blackout. In fact, it caused one…in Ukraine last December.
Now, that’s big, but there’s more – Industroyer is the 1st ever malware designed to attack power grids automatically, and we consider it to be the biggest threat to Industrial Control Systems since Stuxnet.
My name is Robert Lipovsky, and together with my collegue Anton Cherepanov, we analyze malware and investigate cyberattacks on a daily basis, in fact, both of us have been doing it for 10 years now… but when we discovered Industroyer last December, frankly, we were blown away…
We’re based in Slovakia, EU, we work as malware researchers for ESET – the company that pioneered antimalware heuristics and has been innovating antimalware solutions for 30 years.
First, we’ll put Industroyer into context of other malware that targeted ICS in the past
Then we’ll explain how Industroyer works
First, let’s take a look at how ICS-targeting malware works…
We have an industrial site, which can be anything, from a uranium enrichment plant to an automobile factory, with its specialized industrial hardware.
These devices are controlled and configured by human operators from workstations [click], typically running Windows, and that was the point of infiltration for all the known ICS-targeting malware families.[click]
Where the malware families differ, is in their capability – and methods – of controlling/disrupting the industrial process.
Industroyer was specifically designed to attack electricity distribution substations.
There’s a timer [click], in the analyzed samples set to the time of the blackout in Kiev, Ukraine last December…
…that triggers Industroyer’s unique payload: controlling circuit breakers automatically through industrial communication protocols [click] in order to cut the power.
Industroyer joined this “elite” club of only 3 malware families known to be used in attacks against ICS
Stuxnet, which needs no introduction, was able to reprogram PLCs to change the rotation speed of centrifuges.
Havex – DragonFly – Energetic Bear
which infected many industrial sites
Used OPC DA protocol – also used by Industroyer – but unlike Industroyer, Havex only for espionage
BlackEnergy is a bit different from the other 3 families
We’ve been tracking it since 2011…and there we’re many campaigns over the years – mostly spearphishing – and we even discovered they used a Powerpoint 0-day: CVE-2014-4114…
… and many targets – many high value targets, including government, media, transportation…
But what’s relevant to our topic today are the campaigns against the Ukrainian power grid. They started in March 2015…
[click] And on December 23rd, culminated in the first known malware-enabled blackout that affected several regions in the country and left around 230000 people in the dark for several hours.
As I said, BlackEnergy is different from these other malware toolsets.
It wasn’t designed to target ICS specifically, but is a more “general purpose” cyberweapon.
Through its network traversal and espionage modules, it paved the way for attackers
Who then used Radmin …
…legitimate remote access software installed at the power distribution companies to manually “pull the plug”
[click]
And this is an actual video taken by an operator while the attackers were remotely accessing their system
…legitimate remote access software installed at the power distribution companies to manually “pull the plug”
[click]
And this is an actual video taken by an operator while the attackers were remotely accessing their system
And now onto the main topic…
On December 17, 2016, almost exactly one year after the previous blackout, we we’re struck with a sense of deja-vu
There was another blackout and we started analyzing samples of malware, which became the main suspect – Industroyer
We sent our analysis to Ukraine, and then waited, not to interfere with ongoing investigations…
And then received the green light to publish in June
We already mentioned what Industroyer can do…and did, (or “Industroyer’s principal functionality)
Now let’s look under the hood
It starts with the main backdoor, which takes care of C&C communication and launches other components
It’s not super interesting, typical malware, the kind we analyze thousands of every day.
Here’s the list of commands it supports.
We while Industroyer doesn’t focus on espionage functionality like BlackEnergy, it does provide attackers the capability of downloading and executing additional modules…
as well as to exfiltrate files off the infected machine.
Output produced by this command also gave us a glimpse into the command execution chain and lateral movement during the attack
Multiple stages – staying under the radar
SQL DB
/not published/
Got hold of in-house custom application that stores environment layouts, ICS process logs & telemetry
RE’d it, discovered that data stored in MSSQL server, hardcoded credentials. (Shows skill of attackers)
Abused the DB to execute a number of shell commands during the reconnaissance phase of attack
In order to do that, they 1st enabled the DB’s capability to execute these commands through xp_cmdshell
Here are a few commands executed from that machine
Benefit – stealth – shell commands executing from context of DB, also DB stored malicious binaries – measure to avoid AV detection
The last command in the list is used for persistence, to ensure the malware survives a reboot. It does that by pointing the Image Path Registry value of a chosen existing Windows service to a more obfuscated version of itself.
There’s also a secondary backoor, used as a backup mechanism, in case the main backdoor gets detected or disabled.
It’s interesting because it masquerades as a trojanized (and otherwise fully functional) version of Windows Notepad, which it replaces in the system. SIMILAR TECHNIQUE USED BY DRAGONFLY 2017
There are a few additional tools – noteworthy is a custom port scanner which the attackers chose instead of nmap, for example,
And DoS tool, which actually impacts the ICS, and I’ll talk about it later.
And now we’re getting to the interesting part…
We identified 3 distinct ways Industroyer attacks the electricity substation.
Firstly, and most importantly, it can directly control the industrial hardware on site…
So what is this “hardware”? They’re called Remote Terminal Units, commonly protection relays – on these photos you can see them from 2 vendors – Siemens and ABB. There are many types but basically their function is to open and close circuit breakers – for the purposes of protection, balancing the power grid, and so on…
These devices are configured and monitored via specialized SCADA software on regular workstations, typically running Windows
And the communication happens through one of several industrial communication protocols….there are several, some are regionally specific, some operate over a serial connection, others over TCP/IP but overall idea is the same…
It’s important to note that Industroyer “abuses” them… there are no “exploits”, no software vulnerabilities, it uses the protocols in the way they were designed to be used…decades ago, without security in mind.
Now I pass the microphone to Anton, the lead in the Industroyer analysis, to walk you through the payloads…
Robert mentioned the exact timing of an Industroyer attack. That’s the job of the {click} launcher component
The launcher samples we analyzed would launch the individual payload modules on {click} December 17, 2016 – shortly before the power outage.
We identified modules capable of controlling devices through 4 communication protocols: IEC 101, IEC 104, 61850, OPC DA.
Most of them are DLLs, with their own configuration files
Requires a configuration file – here’s an example
101 communicates over a serial connection – the COM ports to use are specified in config
1st thing it does – kills legitimate process on the workstation responsible for controlling the devices and takes over
The devices operate on something called IOA – Information Object Address – think of them as network ports, or… registers
There are several different IOA types, but the payload is only interested in two specific ones, which can accept commands.
It goes over a range of IOAs, defined in the config, and sends the command sequence “OFF -> ON -> OFF”
The idea in the 104 payload is very similar to 101, in that it sends ON or OFF commands to the devices
But there are a few differences:
- Works over TCP/IP instead of serial
Many more configuration options
As you can see here, possible to specify multiple STATION entries work in parallel threads
3 modes of operation – range / shift / sequence
Both for 101 and 104, attackers don’t know the types of IOAs, so they have to do a kind of “bruteforce” to find out which will accept commands – “trial & error”
Range & shift used to discover the right IOAs, Sequence used once they’re known
Payload constructs packets on the fly
Thankfully, WireShark can dissect them
As you can see, this example is a “single command type” on IOA #10
The payload can also write to the console – here’s an example
It supports not only console output but also logging
This example demonstrates the capability of the payload – it tries to switch circuit breakers to ON or OFF in an infinite loop
The exact logic depends on the config: either ON, or OFF, continuously or flipping back & forth between iterations
61850 is a bit different, and a bit more advanced.
Like 104, it operates over TCP/IP but it can function even if IP addresses are not specified in the configuration - it can auto-discover devices on the network
Doesn’t operate on IOAs but named elements.
It looks for these hardcoded names – they correspond to circuit breakers and switches.
So it’s a different approach but, again, same purpose - to OPEN or CLOSE circuit breakers.
The last payload is a step above the rest. Not that it’s more advanced but it operates on a higher software abstraction level. Technically, OPC Data Access can be built on top of 101, 104, or 61850.
It uses Distributed COM to discover all OPC servers running in the network. Obtains all their named items, searching for these specific tags
Then it addresses the byte value 1 to items with these tags.
But what does that mean? Let’s take a look in the documentation.
Those tags are associated with ABB.
Their type is ABBCommandBitmask…
And writing the value 1 on bit position 0, results in normal execution of that command
And this OPC Process Object Lists Tool by ABB helps us translate the commands into a better human-readable form…
So again, the purpose is the same – opening circuit breakers.
Analyzing the Industroyer payloads are a piece of cake for a skilled reverse-engineer, because they’re not obfuscated in any way.
The only thing that can…and will slow you down…is this annoying COM stuff
So to help analyze any future malware that would use OPC DA, we’re releasing this IDA Python script
This is what the code looks like before the script
Robert: Well, that looks much better. Thank you Anton.
All 4 payloads serve a similar purpose – to open and close circuit breakers.
De-energizing a substation is the most obvious one. But there are other theoretical possibilities and the 2007 Aurora generator test demonstrated how out-of-sync closing of protective relays can lead to physical hardware destruction.
The second type of functionality we found in the Industroyer framework, is rendering protection relays irresponsive.
This is done by the Denial of Service tool…
And it does it by exploiting the vulnerability in Siemens SIPROTEC devices described in this Advisory.
The module sends specially crafted UDP packets to port 50000.
”Knocking these devices out” serves to amplify the impact of the payloads Anton talked about.
Siemens did patch the vulnerability in a firmware update, but you can imagine how regularly these devices are updated
The third and final type of payload functionality in the Industroyer samples we analysed is the Data Wiper module – [click]
its purpose is to make recovery from the attack harder - goes not after the RTUs but after the workstations used to configure them
it’s executed by the launcher module - either 1-2 hours after the ICS-payload modules
Remember the configuration software we showed you earlier?
This module wipes files belonging to SCADA software, as you can see on the screen…
Furthermore, it renders the machine unbootable by corrupting the Registry and finally crashes it by killing all, including system processes.
Substation operator…circuit breakers being reopened, protection relays irresponsive, when you sit down to fix the problem, SCADA SW gone
Another demonstration of the importance of backups
Some modules Vendor-agnostic others specific to Siemens/ABB… also discovered GE firmware
As you’ve seen, Industroyer’s capabilities are rather versatile.
It was malware that caused the Ukraine blackout – but it’s also configurable, and can be re-purposed to attack power grids around the {click} world.
It’s a scalable and dangerous weapon against ICS – as we’ve said, the biggest since Stuxnet.
But the gist of the threat is in the skillset and dedication of the {click} malware operators. It’s not about being able to code the malware but their ability (which they demonstrated in Ukraine) to become familiar with the architecture of industrial site they want to target – what devices there are, what commands to send them, and what will happen as a result.
configurable, and can be re-purposed to attack power grids around the {click} world.
It’s a scalable and dangerous weapon against ICS – as we’ve said, the biggest since Stuxnet.
But the gist of the threat is in the skillset and dedication of the {click} malware operators. It’s not about being able to code the malware but their ability (which they demonstrated in Ukraine) to become familiar with the architecture of industrial site they want to target – what devices there are, what commands to send them, and what will happen as a result.