The Crash Override Chronicles

Source: Crash Override Report by Dragos

The Plan

I’m planning to break down my understanding based on the following five posts which I’m calling the Crash Override Chronicles:

  • Overall Report: A run through of the whole report calling out areas I need to focus on learning or investigating.
  • Victim — Domain Understanding: I know I don’t know much about the ICS domain and the power generation/transport world. I’m going to focus on gaining context.
  • Capability — Crash Override Malware: The report focused on the specific piece of malware the adversary used called Crash Override. Time for some malware analysis.
  • Infrastructure — Crash Override Infrastructure: Malware does not operate alone, even in the ICS world (nope, even the one you think worked by itself). There’s always infrastructure for delivery, command & control, and often actions over target.
  • Adversary — Electrum: Lastly I’d like to take all this and dig into the adversary behind the Crash Override campaign. There’s been a lot of speculation, and I don’t make any promises, but it makes a good conclusion.
Source: Giphy

--

--

Network Defender, developer, speaker, writer, author of O’Reilly’s Intelligence Driven Incident Response, & SANS instructor. Bad guy catcher.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Scott J Roberts

Scott J Roberts

1.5K Followers

Network Defender, developer, speaker, writer, author of O’Reilly’s Intelligence Driven Incident Response, & SANS instructor. Bad guy catcher.