meta_pixel
Tapesearch Logo
Log in
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

ISC StormCast for Tuesday, June 13th 2017

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS ISC Handlers

Tech News, News, Technology

4.9696 Ratings

🗓️ 13 June 2017

⏱️ 6 minutes

🔗️ Recording | iTunes | RSS

🧾️ Download transcript

Summary

Daily 5 min infosec news summary. News, patches, vulnerabilities and trends in information and cyber security. Industroyer/ #CrashOverride Power System Malware; Mac Spyware

Transcript

Click on a timestamp to play from that location

0:00.0

Hello, welcome to the Tuesday, June 13th, 2017 edition of the Santernet Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from Washington, D.C.

0:13.2

ESAT and Tragos security released an analysis of malware that was found to disrupt power networks in the Ukraine.

0:23.5

The malware was originally found by ESET, who named it Industroar.

0:28.1

According to ESET, the malware was responsible for power outages in the Ukraine in December last year.

0:36.0

Only a single substation was affected by the attack at the time,

0:41.2

and Tarragos suggests that the attack was more of a proof of concept to test the capabilities

0:47.9

of this Malvern. Unlike prior malware, found to attack industrial control systems, for example, Black Energy 2,

0:56.9

which was responsible for the attacks in the Ukraine in 2015, this new malware is very modular.

1:05.0

It loads specific modules where each module is written to attack a specific industrial system control protocol.

1:13.4

The malware uses HTTP for command and control.

1:16.8

The HTTP requests are sent to a proxy inside the company's network,

1:22.3

and then Tor is used to protect the destination of the requests.

1:31.3

The command and control channel can be used to execute typical commands, like executing commands on the infected systems,

1:36.3

copying files on the infected systems.

1:39.3

However, the malware does not offer a built-in command to exfiltrate data. This could be installed later,

1:46.3

but it also shows how this particular malware focuses on disrupting the system, less on

1:53.2

exfiltrating information. An attacker would initiate an attack against a power company by loading

1:59.5

a configuration file specific to the company's network,

2:04.5

and then the attacker is able to, for example, the energized power lines, essentially turning off power for

2:11.1

part of the network, or initiate what Tregos calls an islanding event. In this scenario, power is cycled quickly multiple

2:21.0

times to trigger the power network's self-protection mechanism and disconnect the system from

2:27.8

the larger power network. According to Traygos, this could lead to multi-day power outages.

...

Please login to see the full transcript.

Previous episode | Next episode

Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.

Copyright © Tapesearch 2025.