- Salazar, Luis;
- Castro, Sebastián R;
- Lozano, Juan;
- Koneru, Keerthi;
- Zambon, Emmanuele;
- Huang, Bing;
- Baldick, Ross;
- Krotofil, Marina;
- Rojas, Alonso;
- Cardenas, Alvaro A
In this paper, we study two pieces of malware that attempted to create blackouts in Ukraine. In particular, we design and develop a new sandbox that emulates different networks, devices, and other characteristics so that we can execute malware targeting substation equipment and understand in detail the specific sequence of actions the attackers could perform on substation equipment. We also study the effects that future similar malware can have. Our findings include new malware behavior not previously documented (such as the detailed algorithm for the MMS protocol payload) and an illustration of how attacking different targets will produce different effects.