(Adds details from U.S. government alert)
By Jim Finkle
June 12 (Reuters) - Two cyber security firms have uncovered malicious software that they believe caused a December 2016 Ukraine power outage, they said on Monday, warning the malware could be easily modified to harm critical infrastructure operations around the globe.
ESET, a Slovakian anti-virus software maker, and Dragos Inc, a U.S. critical-infrastructure security firm, released detailed analyses of the malware, known as Industroyer or Crash Override, and issued private alerts to governments and infrastructure operators to help them defend against the threat.
The U.S. Department of Homeland Security said it was investigating the malware, though it had seen no evidence to suggest it has infected U.S. critical infrastructure.
The two firms said they did not know who was behind the cyber attack. Ukraine has blamed Russia, though officials in Moscow have repeatedly denied blame.
Still, the firms warned that there could be more attacks using the same approach, either by the group that built the malware or copycats who modify the malicious software.
"The malware is really easy to re-purpose and use against other targets. That is definitely alarming," said ESET malware researcher Robert Lipovsky said in a telephone interview. "This could cause wide-scale damage to infrastructure systems that are vital."
The Department of Homeland Security corroborated that warning, saying it was working to better understand the threat posed by Crash Override.
"The tactics, techniques and procedures described as part of the Crash Override malware could be modified to target U.S. critical information networks and systems," the agency said in an alert posted on its website.
The alert posted some three dozen technical indicators that a system had been compromised by Crash Override and asked firms to contact the agency if they suspected their systems were compromised by the malware.
Dragos founder Robert M. Lee said the malware was capable of attacking power systems across Europe and could be leveraged against the United States "with small modifications."
It is able to cause outages of up to a few days in portions of a nation's grid, but is not potent enough to bring down a country's entire grid, Lee said by phone.
With modifications, the malware could attack other types of infrastructure including local transportation providers, water and gas providers, Lipovsky said.
Power firms are concerned there will be more attacks, Alan Brill, a leader of Kroll's cyber security practice, said in a telephone interview.