On June 20th Check Point published an IPS signature providing virtual patching for the Siemens SIPROTEC DoS vulnerability. This IPS signature can help protect against a new malware, CrashOverride, also known as Industroyer– that is a direct threat to Electric Grid Operators.
CrashOverride is the fourth piece of ICS-tailored malware used against these targets and the second ever to be designed and deployed for disrupting physical industrial processes. CrashOverride was employed in the December 17th, 2016 cyber-attack on the Kiev, Ukraine transmission substation resulting in electric grid operations impact.
This malware is an extensible platform that can be used to target critical infrastructure sectors, specifically using IEC- 101, IEC104 and IEC1850 protocols (mainly used outside the Americas).
ICS-CERT reported this on June 14, 2017. The tactics, techniques, and procedures (TTPs) described as part of the CrashOverride malware could be modified to target U.S. critical information networks and systems; however, this malware can be stopped by taking the right precautions.