Analyzing ELECTRUM: The Active Group Behind CRASHOVERRIDE

Stage 2

In analyzing the 2016 Ukraine power grid attack, its surrounding infrastructure, and comparing it to past events, a specific actor (ELECTRUM) behind the development and deployment of a new malware framework, CRASHOVERRIDE, was identified. This session will provide an overview of this group’s operations, and developments observed since the December 2016 event to arm and prepare the community. There will be some significant new information on this threat attacker presented in this session.

Various private sources show research, reconnaissance and development activity indicative of a well-resourced and directed threat actor methodically analyzing the target network, identifying data of interest, and developing an attack payload to carry out the attack seen in 2016.

Additionally, further research and private data indicates an overlap, if not an operational relationship, with the threat actor identified as SANDWORM. While we do not wish to attribute this activity to a specific country or other group, the evidence collected thus far indicates that the group responsible for CRASHOVERRIDE has a relationship with a known APT.

Attacks and Attackers