Volume 20
February 2018 Edition
Havez then zeroed in on the libraries and configuration files of Human-Machine Interfaces ( HMIs ), and used the HMIs to find equipment connected to the internet .
The most troubling aspect of the payload the malware dropped , however , was its modularity .
( The malware , dubbed CrashOverride , is just the second instance of malware specifically tailored to disrupt or destroy industrial control systems , according to new research .)
The terrorists infiltrated the corporate computer network with the same malware kit that had been used in the Dragonfly exploit , called Havex .
Havex utilized the industry-standard OPC ( OLE for Process Control ) protocol to map the utility ’ s network environment and choose its targets .
The protocol is based on facilitating interoperability between Microsoft Windows applications and industrial equipment .
The cyber security firm Dragos reverse-engineered the malware to reveal four modules :
• One to find a way into a network and keep the “ backdoor ” open
• One to drop malicious “ payloads ” into the network
• One to wipe data from storage media , and
• Another module that can be interchanged to wreak different kinds of attack
Destructive Payload
The fourth module is the most problematic .
It is designed to be localized for use in other regions of the world outside Ukraine .
Dragos reports : “ CRASHOVERRIDE is not unique to any particular vendor or config-
22