CRASHOVERRIDE
What is CRASHOVERRIDE?
CRASHOVERRIDE is the first ICS malware framework discovered in an attack against a Ukrainian substation on December 17th, 2016. Robert Lee believes the Kiev attack was a test for future attacks. Based on Robert's assessment of CRASHOVERRIDE functionality, there are components that weren't needed for the substation attack in Kiev but would enable attacks against other ICS protocols and locations. This malware is unique compared to previous attacks, because the primary use of the framework was to gather information about how the ICS system worked. [2] Once the attackers had learned how the Kiev substation worked, they used that knowledge to disrupt operations through manual attack, which makes sophisticated attacks like this difficult to prevent. [3]
Aliases
None
Associated Individuals
Dragos believes that ELECTRUM wrote CRASHOVERRIDE, but another group was responsible for the attack itself. The Sandworm group was responsible for the "Ukraine operation against the Kiev transmission-level substation in 2016." [3]
Tactics
CRASHOVERRIDE is a malware framework that doesn't limit attackers to specific techniques or tactics. It provides the ability to enhance the malware's functionality as a platform to perform system commands.
Targets
Kiev substation in Ukraine.
References
[1] - https://dragos.com/resource/crashoverride-analyzing-the-malware-that-attacks-power-grids/
[2] - https://dragos.com/wp-content/uploads/CrashOverride-01.pdf
[3] - https://www.recordedfuture.com/crashoverride-malware-overview/