ICS Alert

CRASHOVERRIDE Malware

Last Revised
Alert Code
ICS-ALERT-17-206-01

Description

CRASHOVERRIDE, aka, Industroyer, is the fourth family of malware publically identified as targeting industrial control systems (ICS). It uses a modular design, with payloads that target several industrial communication protocols and are capable of directly controlling switches and circuit breakers. Additional modules include a data-wiping component and a module capable of causing a denial of service (DoS) to Siemens SIPROTEC devices.
table.gridtable {
font-family: verdana,arial,sans-serif;
font-size:11px;
color:#333333;
border-width: 1px;
border-color: #666666;
border-collapse: collapse;
}
table.gridtable th {
border-width: 1px;
padding: 8px;
border-style: solid;
border-color: #666666;
background-color: #dedede;
}
table.gridtable td {
border-width: 1px;
padding: 8px;
border-style: solid;
border-color: #666666;
background-color: #ffffff;
}

SUMMARY

CRASHOVERRIDE, aka, Industroyer, is the fourth family of malware publically identified as targeting industrial control systems (ICS). It uses a modular design, with payloads that target several industrial communication protocols and are capable of directly controlling switches and circuit breakers. Additional modules include a data-wiping component and a module capable of causing a denial of service (DoS) to Siemens SIPROTEC devices.

NCCIC/ICS-CERT is in the process of analyzing samples of the CRASHOVERRIDE malware family, including an additional component for credential harvesting that is presumed to be related. As part of this analysis, ICS-CERT has developed a YARA signature to detect components, as well as potential variants of the malicious files ICS-CERT possesses.

Dragos, Inc., ESET, and US-CERT have released open source technical reports for the CRASHOVERRIDE malware family. These reports are available on their respective publisher’s web sites, found at the links below:

Dragos, Inc.: CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations

ESET: Win32/Industroyer: a new threat for industrial control systems

US-CERT: Alert (TA17-163A) CrashOverride Malware

DETECTION

YARA SIGNATURE

ICS-CERT has published instructions for using the YARA signature that is applicable to typical information technology environments. ICS-CERT recommends a phased approach to utilizing this YARA signature in an ICS environment. Test the use of the signature in a test/quality assurance/development ICS environment if one exists. If not, deploy the signature against backup or alternate systems in the top end of the ICS environment; this signature will not be usable on the majority of field devices.

ICS-CERT has produced a YARA signature to aid in identifying if the malicious files are present on a given system. This signature is provided “as is” and has not been fully tested for all variations or environments. Any positive or suspected findings should be immediately reported to ICS-CERT for further analysis and correlation. The YARA signature is available at:

https://ics-cert.us-cert.gov/sites/default/files/file_attach/ICS-ALERT-17-206-01.yara

YARA is a pattern-matching tool used to help identify malware. You can find usage help and download links on the main YARA page at:

http://plusvic.github.io/yara/ (link is external)

For use on a Windows machine, you can download the precompiled binaries at:

https://github.com/plusvic/yara/releases

YARA 3.6.0 or higher is required to use the provided signature. ICS-CERT also provides a control systems recommended practices page on the ICS-CERT web site. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

This product is provided subject to this Notification and this Privacy & Use policy.

Vendor

Other