Hackers believed to be allied with the Russian government have devised a cyberweapon that has the potential to be highly disruptive against the world's electrical systems, researchers have reported.
The malware, which researchers have dubbed CrashOverride or Industroyer, is known to have disrupted the electrical system in Ukraine in December, briefly shutting down one-fifth of Kyiv's electric power.
Dragos, one of the cybersecurity firms that identified the malware in a report on June 12, said Russian government hackers had shown an interest in targeting power grids in other countries as well, including the United States.
The malware is capable of attacking power systems across Europe and Asia, and "with small modifications" could be used in the United States to cause outages of up to a few days in portions of the grid, Dragos said.
With modifications, the malware could also attack other types of critical infrastructure, including local transportation providers, water systems, and natural gas suppliers, Dragos said.
News of the discovery prompted the U.S. Department of Homeland Security to advise all critical infrastructure operators to make sure they were following recommended security practices on June 12.
Dragos named the group that created the new malware Electrum, and said it had high confidence that Electrum used the same computer systems as the hackers who attacked Ukraine's electrical grid in the earliest known incident in December 2015.
The 2015 attack, which left 225,000 customers without power, was carried out by Russian government hackers, U.S. researchers have concluded, and was linked to a group called Sandworm, which is believed to be associated with the Russian government.
Dragos said Sandworm and Electrum might be the same group, or two separate groups working within the same organization, but the forensic evidence shows they are related.
The malware samples from the 2016 attack in Ukraine were first obtained by ESET, a Slovakian research firm, which shared some of them with Dragos. ESET has dubbed the malware Industroyer, while Dragos calls it CrashOverride.
Industroyer or CrashOverride was specifically tailored to disrupt or destroy industrial-control systems, and represents the most powerful threat since Stuxnet, a worm created by the United States and Israel to disrupt Iran’s nuclear capability.