Crashoverride

Malware updated 7 months ago (2024-05-04T16:23:23.975Z)
Download STIX
Preview STIX
CrashOverride, also known as Industroyer, is a notorious malware that was leveraged in 2016 to disrupt Ukraine's power grid at the transmission substation level. This malicious software, believed to be state-sponsored by Russia, manipulated Industrial Control Systems (ICS) equipment through the abuse of legitimate ICS protocols, causing significant physical damage to electric grid operations. The malware was unique in its ability to operate automatically, without the need for attackers to maintain "hands on the keyboard" during the attack, making it a potent tool for widespread disruption. In the landscape of ICS-specific malware, CrashOverride was one of the early variants with specific references to industrial processes, following predecessors such as Stuxnet and Havex, and preceding others like Trisis and Industroyer2. It was designed to cause more than just digital havoc; it had the potential to lead to significant physical damage and even loss of human life, a consequence not seen in previous disruptive attacks. Notably, the malware was specifically engineered to function within electrical substation facilities, demonstrating its targeted nature. Despite the development of other sophisticated ICS-specific malware over the years, such as the CosmicEnergy and Caddy Wiper, CrashOverride continues to pose a threat. As recently as 2022, the Sandworm Team attempted to disrupt Ukrainian energy providers using Industroyer and other malware. However, experts have pointed out that while newer threats like CosmicEnergy may bear similarities to CrashOverride, they do not possess the same full-fledged attack capabilities, underscoring the enduring relevance and potency of the 2016 malware.
Description last updated: 2024-04-30T21:17:05.707Z
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Industroyer is a possible alias for Crashoverride. Industroyer, also known as CrashOverride, is a potent malware specifically designed to target Industrial Control Systems (ICS) used in electrical substations. It first gained notoriety for its role in the 2016 cyberattack on Ukraine's power grid, which resulted in a six-hour blackout in Kyiv. The ma
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ics
Malware
Dragos
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Havex Threat Actor is associated with Crashoverride. Havex, also known as Dragonfly or the Energetic Bear RAT, is a prominent threat actor in the cybersecurity landscape. First spotted in 2013, Havex was part of a broad industrial espionage campaign that specifically targeted Supervisory Control and Data Acquisition (SCADA) and Industrial Control SystUnspecified
2
Source Document References
Information about the Crashoverride Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
7 months ago
CERT-EU
9 months ago
CERT-EU
a year ago
DARKReading
a year ago
DARKReading
2 years ago
MITRE
2 years ago
CERT-EU
a year ago
MITRE
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
MITRE
2 years ago