On a cold winter night in 2016, Ukrainians experienced the first-ever known blackout caused by malware specifically designed to attack the power grid. The malicious code plunged one-fifth of Kyiv’s citizens into darkness. Six years later, during the early months of the Russia-Ukraine war, a second attack attempted to combine cyber and kinetic assaults to incapacitate Ukraine’s power grid.
These incidents underscore the growing threat of malware attacks on physical infrastructure. Despite their significance, these attacks have received limited attention from the academic community. Both incidents, attributed to a Russian intelligence agency, highlight the evolution of cyber threats and the urgent need to understand and defend against such malware.
A new study, set to be presented on May 20 at the IEEE Symposium on Security and Privacy, explores the details of these malware attacks, known as Industroyer One and Two. Conducted by a team from UC Santa Cruz, the research delves into how the malware interacted with physical power system equipment.
“I want to emphasize how vulnerable our systems are,” said Alvaro Cardenas, the study’s advisor. “Seeing a nation-state design malware to take down another country’s power grid is a big deal. Our critical infrastructures are vulnerable, and we need to be better prepared to defend them.”
### Understanding Industroyer One and Two
The 2016 attack used malware named Industroyer One, while the similar 2022 attack used Industroyer Two. Both attacks were attributed to Russia’s military intelligence agency, the GRU, by the Five Eyes intelligence alliance.
Industroyer One acted like a Swiss army knife, capable of attacking both older systems using serial lines and modern systems using current communication protocols. It operated autonomously, requiring no human intervention once deployed, and compromised Windows computers in substations or control rooms to manipulate circuit breakers.
Industroyer Two was more specific, targeting particular IP addresses and devices within the power grid. Unlike its predecessor, it did not require configuration files and had eliminated many of the bugs present in Industroyer One.
### Creating a Sandbox for Study
To analyze the malware, the researchers created a sandbox—a software environment that mimicked the Ukrainian power grid. This allowed them to understand how the malware interacted with the system and to observe its evolution. Their sandbox is now available for other researchers to use.
The study found that both Industroyer attacks were fully automated and breached areas of the power grid designed to be disconnected from the internet for security. The malware targeted different types of circuit breakers, with the potential to cause local blackouts.
### Planning Future Defense
The evolution observed in the Industroyer attacks indicates that malware is becoming stealthier. Future attackers may target “intelligent electronic devices” (IEDs) embedded within systems, potentially sending malicious commands while reporting normal operation to human operators.
The researchers are working to develop a “honeypot,” a decoy system that can alert operators to an attack by detecting unauthorized activity. This honeypot aims to be versatile enough to function in various control systems, such as oil refineries and water treatment plants, in addition to power grids.
Collaborators on this project included Cardenas’ Ph.D. students Luis Salazar, Sebastian Castro, Juan Lozano, and Keerthi Koneru, as well as experts from several universities and organizations.
“The attacks could happen here, or pretty much anywhere in the world,” Cardenas said. “Systems are now all controlled by computers and use similar technology.”
This research emphasizes the critical need for enhanced cybersecurity measures to protect against evolving threats to our physical infrastructure.
