Electricity has become an essential part of our lives. From the moment we wake up looking at your smartphones to the time where we watch Netflix before going to sleep. Technology and electricity that powers these technologies have made our lives easier and our dependency have grown to a point where a day without power would send everyone into a frenzy. This form of energy has been well received and integrated into various sectors such as medical, hospitality, Transportation, Information Technology (IT), etc. With the recent advancements in technology, the demand for electricity is increasing and various techniques along with innovations are being implemented to improve the reliability and power security. Such reliance on power has made it a potential target for criminals and governments to disrupt peace in a country. They strategically target the control systems used in power generating stations and tamper with the operation or completely shut it down which not only causes inconvenience but also results in the destruction of assets. This article is going look into malware which was initially used to hack computers, were used to shut down generating stations.
Stuxnet, the first cyber worm which was deployed targeting the specific control system of power plants. Rather than calling it a worm, it can be defined as the first cyber weapon and was one of the most sophisticated software ever created in the computer world. It was jointly created by the US and Israeli government to attack the Iranian Nuclear reactors and delay the operations of creating nuclear weapons. Stuxnet would operate by initially targeting the windows system and it would replicate at a rapid scale. It was designed to penetrate and exploit windows zero-day flaws. It was specially designed to traget specific windows system that uses WinCC and PCS 7 programs. When successfully infected with the targeted system, the worm would take control of the system and vary the frequency of electricity given to the centrifuge which causes the motor to accelerate and decelerate at an erratic pace leading to improper purification of the core. But, the biggest difference here was that while the program was being executed, no red flags were raised by the computers and it showed that the centrifuges were operating as intended and no indifference was seen. When the rootkit was examined, it contained siemens commands which control Programmable Logic Controllers (PLC) explaining how it was able to change the operating states of the motors. The worm was so sophisticated that it would rapidly multiply and spread on to various platforms and devices. It was like this how a careless employee of the plant got an infected Pendrive and connected it to a computer in an “air gap” network leading to the attack. It was estimated that around 986 centrifuges were destroyed and reduced the enrichment efficiency by 30%. The malware spread like wildfire affecting nearly 90,000 to 100,000 computers around 115 countries with top3 being Iran, Indonesia, and India.
This malware has taken inspiration from the infamous Stuxnet and was named Havex, which was specially designed to target the energy sector. The purpose of havex was similar to the predecessor, which would infect hydropower station and disable the gates or disrupt the operation of centrifuges of nuclear power plants. The mode of infection was unique, rather than the usual exploit kits or spam mails. Hackers used to gain access to websites of software companies and implant the malware on to installable software and while installing this software, the malware would also get installed and start executing. Havex, a Remote Access Trojan (RAT) was used to create a backdoor and allow hackers to gain access to the infected system and would start executing commands through Command & Control (C&C) servers. Though the companies affected were not mentioned but it was understood that few educational institutions in France and few companies in Germany were targeted. After further investigation, that the malware was said to be linked to individual Russian hacker groups or hackers funded by the Russian government.
The next malware is particularly interesting as it disrupted the peace for nearly 1.4 million Ukraine citizens. On 23rd December 2015, the power supply was interrupted for several hours due to a type of malware called a trojan. In the beginning, it was estimated to be an isolated event targeting one plant, but after further investigation, it was found that several other power companies were targeted and were disrupted at the same time. When investigating the cause of this attack. It was found to cause by a particular type of trojan called Blackenergy, which is malware with a rich history and was used for various attacks with different distribution mechanisms ranging from DDoS to rootkit. But in this case, the trojan would plant itself on to the computer and create a backdoor which was later used to download a KillDisk component making the infected computer unbootable. The hacker team exploited the vulnerability found on Mircosoft office and install malicious macro into it. They used a spear-phishing attack, where the infected file was sent in spoofed mail id saying that it was sent by the Ukrainian parliament with some convincing text asking them to open the file and while doing so would result in the code being exploited. When executed, KillDisk would delete certain system files and render the computer unbootable. In many computers, KillDisk was found to contain some more functionalities that would corrupt the operation of Industrial Control Systems (ICS). This was an eye-opener for the Ukraine government and witnessed the capability of malware taking down an entire network. The day was intentionally chosen to give the citizens a merry Christmas that they would never forget.
The above attack along with the 2017 WannaCry ransomware attack was an eye-opener to the Indian Government as they have witnessed the power of a cyber attack and especially how it was able to shut down power grids. The ministry of power requested the Central Energy Authority(CEA) to create a report describing the devasting effects if India were to be attacked in such a manner. The report stated that such an attack would be less predictable and difficult to assess and the recent attack on the nuclear power plant created an urgency to improve and develop a firewall to defend such events ever to happen again. It also stated that due to the recent advancements in the smart grid, it is essential to improve the security against any type of infection.
We have moved from an era where malware was used just to prank people to a point where it can be used by criminals, governments, etc; to cause real damage to a country’s operation and indirectly or directly affect the economy.