U.S. Flag Official website of the Department of Homeland Security
U.S. Department of Homeland Security Seal. ICS-CERT. Industrial Control Systems Cyber Emergency Response Team.
TLP:WHITE

Alert (ICS-ALERT-17-206-01)

CRASHOVERRIDE Malware

Original release date: July 25, 2017

Legal Notice

All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.



SUMMARY

CRASHOVERRIDE, aka, Industroyer, is the fourth family of malware publically identified as targeting industrial control systems (ICS). It uses a modular design, with payloads that target several industrial communication protocols and are capable of directly controlling switches and circuit breakers. Additional modules include a data-wiping component and a module capable of causing a denial of service (DoS) to Siemens SIPROTEC devices.

NCCIC/ICS-CERT is in the process of analyzing samples of the CRASHOVERRIDE malware family, including an additional component for credential harvesting that is presumed to be related. As part of this analysis, ICS-CERT has developed a YARA signature to detect components, as well as potential variants of the malicious files ICS-CERT possesses.

Dragos, Inc., ESET, and US-CERT have released open source technical reports for the CRASHOVERRIDE malware family. These reports are available on their respective publisher’s web sites, found at the links below:

Dragos, Inc.: CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations

ESET: Win32/Industroyer: a new threat for industrial control systems

US-CERT: Alert (TA17-163A) CrashOverride Malware

DETECTION

YARA SIGNATURE

ICS-CERT has published instructions for using the YARA signature that is applicable to typical information technology environments. ICS-CERT recommends a phased approach to utilizing this YARA signature in an ICS environment. Test the use of the signature in a test/quality assurance/development ICS environment if one exists. If not, deploy the signature against backup or alternate systems in the top end of the ICS environment; this signature will not be usable on the majority of field devices.

ICS-CERT has produced a YARA signature to aid in identifying if the malicious files are present on a given system. This signature is provided “as is” and has not been fully tested for all variations or environments. Any positive or suspected findings should be immediately reported to ICS-CERT for further analysis and correlation. The YARA signature is available at:

https://ics-cert.us-cert.gov/sites/default/files/file_attach/ICS-ALERT-17-206-01.yara

YARA is a pattern-matching tool used to help identify malware. You can find usage help and download links on the main YARA page at:

http://plusvic.github.io/yara/ (link is external)

For use on a Windows machine, you can download the precompiled binaries at:

https://github.com/plusvic/yara/releases

YARA 3.6.0 or higher is required to use the provided signature. ICS-CERT also provides a control systems recommended practices page on the ICS-CERT web site. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.


Contact Information

For any questions related to this report, please contact the NCCIC at:

Email: NCCICCUSTOMERSERVICE@hq.dhs.gov
Toll Free: 1-888-282-0870

For industrial control systems cybersecurity information:  http://ics-cert.us-cert.gov 
or incident reporting:  https://ics-cert.us-cert.gov/Report-Incident?

The NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top