January 2016 - KillDisk Malware

Overview

Highly destructive malware that infected at least three regional power authorities in Ukraine led to a power failure that left hundreds of thousands of homes without electricity last week, researchers said.

The outage left about half of the homes in the Ivano-Frankivsk region of Ukraine without electricity, Ukrainian news service TSN reported in an article posted a day after the December 23 failure. The report went on to say that the outage was the result of malware that disconnected electrical substations. On Monday, researchers from security firm iSIGHT Partners said they had obtained samples of the malicious code that infected at least three regional operators. They said the malware led to "destructive events" that in turn caused the blackout. If confirmed it would be the first known instance of someone using malware to generate a power outage.

Update

This attack was directed a specific SCADA software through modification of the komut.exe and sec_service.exe files. Survalent software does not contain or use those files, therefore we are immune to this particular malware.

Reports indicate that the malware was distributed by an email with an Office document attachment.  A user on the target network was induced to open the email in an email program on the industrial control computer.

We always recommend that our customers

  • Do not install an email client on the SCADA servers
  • Do not install Office or similar programs on the SCADA servers
  • Educate users on the dangers of opening attached Office documents (or files of any type) from untrusted sources.

More Info

http://arstechnica.com/security/2016/01/first-known-hacker-caused-power-outage-signals-troubling-escalation/