All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.
CRASHOVERRIDE, aka, Industroyer, is the fourth family of malware publically identified as targeting industrial control systems (ICS). It uses a modular design, with payloads that target several industrial communication protocols and are capable of directly controlling switches and circuit breakers. Additional modules include a data-wiping component and a module capable of causing a denial of service (DoS) to Siemens SIPROTEC devices.
NCCIC/ICS-CERT is in the process of analyzing samples of the CRASHOVERRIDE malware family, including an additional component for credential harvesting that is presumed to be related. As part of this analysis, ICS-CERT has developed a YARA signature to detect components, as well as potential variants of the malicious files ICS-CERT possesses.
Dragos, Inc., ESET, and US-CERT have released open source technical reports for the CRASHOVERRIDE malware family. These reports are available on their respective publisher’s web sites, found at the links below:
ICS-CERT has published instructions for using the YARA signature that is applicable to typical information technology environments. ICS-CERT recommends a phased approach to utilizing this YARA signature in an ICS environment. Test the use of the signature in a test/quality assurance/development ICS environment if one exists. If not, deploy the signature against backup or alternate systems in the top end of the ICS environment; this signature will not be usable on the majority of field devices.
ICS-CERT has produced a YARA signature to aid in identifying if the malicious files are present on a given system. This signature is provided “as is” and has not been fully tested for all variations or environments. Any positive or suspected findings should be immediately reported to ICS-CERT for further analysis and correlation. The YARA signature is available at:
YARA is a pattern-matching tool used to help identify malware. You can find usage help and download links on the main YARA page at:
http://plusvic.github.io/yara/ (link is external)
For use on a Windows machine, you can download the precompiled binaries at:
YARA 3.6.0 or higher is required to use the provided signature. ICS-CERT also provides a control systems recommended practices page on the ICS-CERT web site. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
For any questions related to this report, please contact the NCCIC at:
Toll Free: 1-888-282-0870
The NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.