Power Grid on Alert After Two Cybersecurity Warnings Issued this Week

This week, two different cybersecurity warnings were issued in the U.S., flagging significant potential threats to the electricity grid.

The first threat is ‘CrashOverride’, a malware program associated with Russia that was specifically designed and successfully used (outside the U.S.) to target electric power grid infrastructure.  The second threat is ‘DeltaCharlie’, a malware program associated with North Korea that targets critical infrastructure and other sectors.

Electrum’s CrashOverride

On June 13, the North American Reliability Corporation (NERC) issued a Level-1 Alert to share critical reliability information and recommended actions with key organizations in the electricity industry – such as electric generators, distributors, transmission owners, and balancing authorities – associated with the cybersecurity threat.

It started when the Slovakian cybersecurity firm, ESET, found dangerous malware, they called ‘Industroyer’. ESET believes this program was involved in the December 2016 cyber-attack on the Ukrainian grid (specifically de-energizing a transmission substation) that caused an hour-long blackout in the capital of Kiev.  ESET found that ‘Industroyer’ has the ability of “…directly controlling electricity substation switches and circuit breakers…The potential impact may range from simply turning off power distribution, triggering a cascade of failures, to more serious damage to equipment.”

ESET declared the malware to be the most dangerous cyber threat to industrial control systems since Stuxnet, which brought down Iran’s nuclear program.

ESET notified the U.S. cyber security firm, Dragos, on June 8 about the threat, seeking validation of ESET’s results. Dragos and ESET both released reports on the malware on June 12.  The Dragos report renames the malware ‘CrashOverride’ and provides an analysis of power system threats. Dragos links CrashOveride to a cyber-espionage group they track, Electrum, that apparently has ties to Russia.

The Department of Homeland Security (DHS) also issued an alert about CrashOveride, to a broader audience and NERC released a statement that no instances of the malware had yet been reported in North America.

Hidden Cobra’s DeltaCharlie

On June 13, DHS and the Federal Bureau of Investigation (FBI) jointly issued an alert on the malware ‘DeltaCharlie,’ developed by Hidden Cobra.  Hidden Cobra is the U.S. government’s name for cyber activity led by the North Korean government. Others call the group the ‘Guardians of Peace’ or the ‘Lazarus Group’, which were responsible for the 2014 hack on Sony Pictures.  

The joint release stated Hidden Cobra has and continues to target, “media, aerospace, financial, and critical infrastructure sectors” in the U.S. and globally. This group of actors has successfully leveraged their capabilities to extract data or cause disruptions in the past, commonly targeting older versions of Microsoft windows operating systems.

DeltaCharlie has been used to manage distributed denial of service (DDOS) botnet infrastructure.  DDOS attacks flood targeted servers with high volumes of web traffic all at once, overloading the capacity of the servers and crowding out legitimate website traffic. As an example, DDOS attacks have targeted servers hosting Twitter, Spotify, Netflix, Airbnb, and others notable websites. The DeltaCharlie infrastructure was originally identified by a coalition of security companies led by Novetta in 2016, and is now linked to North Korea.

Waiting to Exhale

So, this all sounds extremely concerning.

Are we moving towards the “Zero Days” future (referring to the Alex Gibney documentary warning of large scale cyber-attacks)? Are cyber technologies and activists becoming more sophisticated and distributed, respectively, than our ability to defend against them?

If there is any recent good news pertaining to cyberattacks and the electricity grid, it would be the June 9 release of a joint report from FERC and NERC analyzing the ability of the electricity grid to recover from blackouts – e.g. from a cyber-attack or weather event – absent certain digital grid monitoring and recovery technologies.

The study examined only a handful of participants, but did find these entities were able to manually restore normal operations – absent digital technologies – though the process was time consuming.

A little piece of mind in an otherwise crazy week!

Christina Simeone

Kleinman Center Senior Fellow
Christina Simeone is a senior fellow at the Kleinman Center for Energy Policy and a doctoral student in advanced energy systems at the Colorado School of Mines and the National Renewable Energy Laboratory, a joint program.