Dragos and ESET have released details about an attack which took down part of a power grid in Kiev in 2016.
Dragos said it can also confirm that the group behind the attack goes by Electrum.
Electrum has ties to the Sandworm Team, which targeted infrastructure companies in the US in 2014, and Ukraine’s electric utilities in 2015.
“CrashOverRide represents alarming tradecraft and the ability to disrupt operations,” said Dragos.
It said the CrashOverRide malware is a modular framework that targets several points in the industrial control system protocols used by an electric grid.
The malware’s modules open circuit breakers on remote terminal units and force them into an infinite loop, keeping the circuit breakers open – even if grid operators attempt to shut them.
Grid operators can go back to manual operations to mitigate the attack, it said.
“There are concerning scenarios in how this malware can be leveraged to disrupt grid operations that would result in hours of outages at targeted locations,’ said Dragos.
Even though it is not catastrophic, CrashOverRide remains a concerning capability, it added.