The seemingly local cyberattack that cut power to part of Ukraine's capital, Kiev, last December could have been a test run. And security researchers now say the malware believed to have caused the blackout is actually modular, mostly automated and highly adaptable. That means it doesn't just work on electrical grids in Ukraine. This dangerous cyberweapon might work in Sydney or Paris or New York — anywhere really.
The streets of New York City after Hurricane Sandy caused blackouts in large parts of Manhattan. (Photo: Getty)
Researchers from ESET and Dragos call the malware likely used in the attack "Industroyer" or, more salaciously, "Crash Override". (The latter is a cheeky nod at the '90s cyberpunk film Hackers.) While the 2016 outage in Kiev only lasted an hour, their research suggests that the attack showcased only a small amount of the malware's destructive power. Based on this research, Wired's Andy Greenberg calls Crash Override "the most evolved specimen of grid-sabotaging malware ever observed in the wild". This sort of description belies comparison to the Stuxnet worm, a highly sophisticated piece of malware built by the United States and Israel to take Iran's nuclear facilities offline.
What's ultimately disturbing about Crash Override, however, is the fact that the malware doesn't appear to be custom-built for a specific attack. Security researchers say that the code can be modified to target a specific city or country and scaled up to last much longer than an hour. Dragos founder Robert M. Lee told Reuters that the malware could cause outages lasting several days, though he said it was unlikely that Crash Override could take out an entire country's grid. There's more bad news, though. "With small modifications, it could be leveraged against the United States," Lee said.
It's unclear who's behind Crash Override, but all signs point to Russia. The December 2016 blackout in Ukraine was the second such incident in as many years, although the Crash Override malware only appeared in the most recent attack. Ukraine's president Petro Poroshenko actually addressed the issue of Russian cyberattacks at Davos earlier this year.
"There is a global cyber war of Russia against [the] whole world, there is lots of evidence," Poroshenko told Reuters at the World Economic Forum. "This is a global danger, and the world should be together to fight this danger."
If anybody knows about the direct threat of an unhinged Russia, of course, it's Poroshenko. Russia has been openly intervening in Ukrainian affairs since 2014, when Putin's forces invaded parts of Crimea wearing unmarked military uniforms and driving unmarked military vehicles. The clandestine nature of Russia's activity in the cyber arena is even scarier. At the time of last December's blackout in Kiev, Poroshenko said that Russia had launched some about 6500 cyber attacks on the country in just two months.
And so, as US intelligence and law enforcement officials investigate whether there was Russian interference with the 2016 US election, the idea that Putin's cyber warriors have more powerful weapons in their arsenal — weapons that they might deploy on more countries, including the US — is very unsettling. ESET security researcher Robert Lipovsky, who helped write the white paper on Crash Override, went so far as to tell Wired, "The potential impact here is huge." Lipovsky added, "If this is not a wakeup call, I don't know what could be."
The (pretty dim) bright side to all of this is that the latest research into Crash Override could actually help countries around the world secure their power grids. If learning how powerful the weapon could be serves as a wakeup call, then building better cyber defence systems should be the next step. That doesn't mean every utility company in America will make those preparations. But hopefully many will.