Industroyer

Malware updated 4 months ago (2024-06-05T03:17:32.367Z)
Download STIX
Preview STIX
Industroyer, also known as CrashOverride, is a potent malware specifically designed to target Industrial Control Systems (ICS) used in electrical substations. It first gained notoriety for its role in the 2016 cyberattack on Ukraine's power grid, which resulted in a six-hour blackout in Kyiv. The malware, attributed to the Russia-backed Sandworm group, was later leveraged in 2018 against Ukrainian government agencies and in a highly destructive attack prior to Russia's invasion of Ukraine in 2022. This version of Industroyer was customized to target high-voltage electrical substations, though it remains unclear how initial access was achieved. ESET's analysis of a backdoor utilized by TeleBots, the group responsible for the widespread NotPetya ransomware outbreak, revealed strong code similarities with the main Industroyer backdoor. This provided the first public evidence linking Industroyer to TeleBots, and consequently to NotPetya and BlackEnergy. The primary difference between the Industroyer toolset's backdoor and the new TeleBots backdoor is that the latter uses XML format for communication and configuration, rather than a custom binary format. In conjunction with the deployment of Industroyer 2 within the ICS network during the 2022 attacks, an updated variant of CaddyWiper malware was introduced. Both Industroyer 2 and CaddyWiper have been used by Russia-backed state groups in destructive attacks on organizations in Ukraine. Additionally, Industroyer shares similarities with CosmicEnergy, another operational technology malware that targets ICS and primarily focuses on disrupting electrical grids by interacting with the IEC-104 protocol.
Description last updated: 2024-06-05T03:15:36.237Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Sandworm is a possible alias for Industroyer. Sandworm, also known as APT44, is a Russia-linked threat actor that has been implicated in several major cyberattacks. This group has been particularly active against targets in Ukraine and Poland, with significant operations including the compromise of 11 Ukrainian telecommunications providers, whi
6
CaddyWiper is a possible alias for Industroyer. CaddyWiper is a destructive malware, a type of malicious software designed to exploit and damage computer systems. It was one of several malwares deployed against Ukraine starting in January 2022 by the Russian Advanced Persistent Threat (APT) group, alongside others such as WhisperGate, HermeticWip
4
BlackEnergy is a possible alias for Industroyer. BlackEnergy is a potent malware toolkit that has been utilized by criminal and Advanced Persistent Threat (APT) actors since 2007. Its destructive capabilities were notably demonstrated in Ukraine where it was used for cyber-espionage, compromising industrial control systems, and launching attacks a
4
Industroyer2 is a possible alias for Industroyer. Industroyer2 is a sophisticated piece of malware designed to target Industrial Control Systems (ICS), developed and deployed by the Russian state-sponsored advanced persistent threat group, Sandworm. The group has been active since 2007 and used Industroyer2 in a significant attack against Ukraine's
3
Sandworm Team is a possible alias for Industroyer. The Sandworm Team, a threat actor associated with Russia's military intelligence-linked group, has demonstrated significant capabilities in developing custom malware to target Operational Technology (OT) and Industrial Control Systems (ICSs). Since at least 2015, the team has used the "BlackEnergy"
2
Crashoverride is a possible alias for Industroyer. CrashOverride, also known as Industroyer, is a notorious malware that was leveraged in 2016 to disrupt Ukraine's power grid at the transmission substation level. This malicious software, believed to be state-sponsored by Russia, manipulated Industrial Control Systems (ICS) equipment through the abus
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ics
Ransomware
Ukraine
Wiper
Backdoor
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The NotPetya Malware is associated with Industroyer. NotPetya is a malicious software (malware) that caused extensive damage worldwide in 2017. It was initially perceived as ransomware, similar to other notorious variants such as WannaCry, Petya, TeslaCrypt, DarkSide, and REvil. However, unlike typical ransomware, NotPetya was primarily destructive rais related to
4
Source Document References
Information about the Industroyer Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
4 months ago
DARKReading
6 months ago
DARKReading
7 months ago
CERT-EU
7 months ago
CERT-EU
9 months ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
DARKReading
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago