By: Kevin Poulsen of The Daily Beast
Seven minutes before midnight last Dec. 17, a bomb of sorts went off in a high-voltage substation north of Kiev.
But if you were standing outside the 20 acres of gleaming metal transformers and coils, you wouldn’t have heard a bang or seen a flash. It wasn’t that kind of bomb. It was a piece of malicious software that had been hiding in a control-room computer miles away, waiting for the right time to reveal itself. At 11:53 p.m., the logic bomb transmitted a staccato burst of pre-programmed commands to the substation, popping one circuit breaker after another until a strip of houses in and around western Kiev were plunged into darkness.
Technicians responded to the Pivnichna substation and took the circuit breakers off computer control, restoring power a little after 1 a.m. It was only the second confirmed case of a computer attack triggering an electrical blackout, and compared to the first, 12 months earlier—also in Ukraine—it was a fizzle, affecting far fewer customers and for a fraction of the time. In the six months since the Kiev attack, security researchers have wondered why the hackers even bothered with such a fleeting disruption and speculated that someone was using Ukraine as a testing ground for a more serious attack.
Now that dark assessment seems to be confirmed. Researchers at two security companies on Monday announced they’ve finally found and analyzed the malware that triggered the Kiev blackout, and it’s far worse than imagined. The computer code, dubbed “CrashOverride” by Maryland-based Dragos, and “Industroyer” by ESET in Slovakia, is a genuine cyber weapon that can map out a power station’s control network and, with minimal human guidance, issue malicious commands directly to critical equipment. Only once before has the world seen malware designed for such sabotage, with the 2010 Stuxnet virus used against Iran’s nuclear program. CrashOverride is the first to target civilians and the first such malware built to target a nation’s power supply.