Industroyer

Malware Profile Updated 13 days ago
Download STIX
Preview STIX
Industroyer, also known as CrashOverride, is a potent form of malware designed to target Industrial Control Systems (ICS), particularly those used in electrical substations. Its functionality supports four critical industry protocols and has been notably deployed by the Russia-backed group Sandworm in destructive attacks on Ukrainian organizations. The first significant use was in 2016 when it disrupted power to Kyiv for over six hours, followed by targeting Ukrainian government agencies in 2018. In 2022, alongside another malware named CaddyWiper, Industroyer was customized for an attack on high-voltage electrical substations in Ukraine during Russia's invasion. However, the means of initial access remains unclear. The TeleBots group, responsible for the massive NotPetya ransomware outbreak, has shown strong code similarities with the Industroyer main backdoor, establishing a connection between Industroyer, TeleBots, NotPetya, and BlackEnergy that wasn't previously proven. An updated version of the Industroyer backdoor, used by TeleBots, switched to XML format for communication and configuration instead of the custom binary format used earlier. This change is one of the primary differences between the original Industroyer toolset and the newer TeleBots backdoor. Another malware, CosmicEnergy, focusing on disrupting electrical grids, shares similarities with Industroyer by interacting with the IEC-104 protocol to cause power disruptions. The deployment of Industroyer 2 within the ICS network coincided with the introduction of an updated variant of CaddyWiper malware, both attributed to the Sandworm group. The Industroyer variant uses a logic bomb functionality, delivered to the targeted machine as a Windows executable, with scheduled execution. Despite the emergence of novel malware, older tools like Industroyer and BlackEnergy continue to be utilized effectively in cyberattacks.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
CaddyWiper
4
CaddyWiper is a destructive malware, a type of malicious software designed to exploit and damage computer systems. It was one of several malwares deployed against Ukraine starting in January 2022 by the Russian Advanced Persistent Threat (APT) group, alongside others such as WhisperGate, HermeticWip
BlackEnergy
4
BlackEnergy is a potent malware toolkit that has been utilized by criminal and Advanced Persistent Threat (APT) actors since 2007. Its destructive capabilities were notably demonstrated in Ukraine where it was used for cyber-espionage, compromising industrial control systems, and launching attacks a
Industroyer2
3
Industroyer2 is a sophisticated piece of malware designed to target Industrial Control Systems (ICS), developed and deployed by the Russian state-sponsored advanced persistent threat group, Sandworm. The group has been active since 2007 and used Industroyer2 in a significant attack against Ukraine's
Sandworm Team
2
The Sandworm Team, a threat actor associated with Russia's military intelligence-linked group, has demonstrated significant capabilities in developing custom malware to target Operational Technology (OT) and Industrial Control Systems (ICSs). Since at least 2015, the team has used the "BlackEnergy"
Crashoverride
2
CrashOverride, also known as Industroyer, is a notorious malware that was leveraged in 2016 to disrupt Ukraine's power grid at the transmission substation level. This malicious software, believed to be state-sponsored by Russia, manipulated Industrial Control Systems (ICS) equipment through the abus
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ics
Ukraine
Ransomware
Wiper
Backdoor
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
NotPetyais related to
4
NotPetya is a destructive malware that masquerades as ransomware, originally identified in 2017. This malicious software was developed by the highly skilled cyber group known as Sandworm, which is reportedly responsible for large-scale cyber-attacks including the Ukraine power grid hack in December
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SandwormUnspecified
5
Sandworm is a Russia-linked Advanced Persistent Threat (APT) group, recognized for its malicious cyber activities. The group has been associated with several high-profile attacks, including compromising 11 Ukrainian telecommunications providers and deploying the previously unknown Kapeka backdoor. S
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Industroyer Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
New TeleBots backdoor: First evidence linking Industroyer to NotPetya | WeLiveSecurity
CERT-EU
4 months ago
Analysis of OT cyberattacks and malwares
CERT-EU
a year ago
APT Profile: Sandworm - SOCRadar® Cyber Intelligence Inc.
InfoSecurity-magazine
a year ago
Google Report Reveals Russia's Elaborate Cyber Strategy in Ukraine
ESET
a year ago
RansomBoggs: New ransomware targeting Ukraine | WeLiveSecurity
CERT-EU
a year ago
CosmicEnergy’s threat to critical infrastructure in dispute
ESET
a year ago
ESET Research Podcast: A year of fighting rockets, soldiers, and wipers in Ukraine | WeLiveSecurity
CERT-EU
a year ago
COSMICENERGY Malware May be Artifact of Russian Emergency Response Exercises
CERT-EU
2 months ago
Operational Technology Threats - ReliaQuest
CERT-EU
a year ago
CosmicEnergy ICS Malware Poses No Immediate Threat, but Should Not Be Ignored
CERT-EU
a year ago
Vulkan Playbook Leak Exposes Russia's Plans for Worldwide Cyberwar
MITRE
a year ago
Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure | Mandiant
CSO Online
a year ago
Attacks on industrial infrastructure on the rise, defenses struggle to keep up
CERT-EU
a year ago
Are our substations safe from cyber attacks?
CERT-EU
a year ago
Ukraine : une nouvelle vague de virus menace de consumer toutes les données
CERT-EU
a year ago
Resumen de amenazas de seguridad más destacadas de febrero
MITRE
a year ago
TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping | Mandiant
Securityaffairs
a year ago
Microsoft sheds light on a year of Russian hybrid warfare in Ukraine
CERT-EU
10 months ago
Can Cyber Insurance Help Legally Codify an International Definition for Cyber War?
CERT-EU
6 months ago
Sandworm, a Russian Threat Actor, Disrupted Power in Ukraine Via Cyberattack