Industroyer

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
Industroyer, also known as CrashOverride, is a potent malware specifically designed to target Industrial Control Systems (ICS) used in electrical substations. It first gained notoriety for its role in the 2016 cyberattack on Ukraine's power grid, which resulted in a six-hour blackout in Kyiv. The malware, attributed to the Russia-backed Sandworm group, was later leveraged in 2018 against Ukrainian government agencies and in a highly destructive attack prior to Russia's invasion of Ukraine in 2022. This version of Industroyer was customized to target high-voltage electrical substations, though it remains unclear how initial access was achieved. ESET's analysis of a backdoor utilized by TeleBots, the group responsible for the widespread NotPetya ransomware outbreak, revealed strong code similarities with the main Industroyer backdoor. This provided the first public evidence linking Industroyer to TeleBots, and consequently to NotPetya and BlackEnergy. The primary difference between the Industroyer toolset's backdoor and the new TeleBots backdoor is that the latter uses XML format for communication and configuration, rather than a custom binary format. In conjunction with the deployment of Industroyer 2 within the ICS network during the 2022 attacks, an updated variant of CaddyWiper malware was introduced. Both Industroyer 2 and CaddyWiper have been used by Russia-backed state groups in destructive attacks on organizations in Ukraine. Additionally, Industroyer shares similarities with CosmicEnergy, another operational technology malware that targets ICS and primarily focuses on disrupting electrical grids by interacting with the IEC-104 protocol.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Sandworm
6
Sandworm, a threat actor linked to Russia, has been implicated in numerous high-profile cyber attacks. This group's activities have primarily targeted Ukraine, compromising the country's critical infrastructure and telecommunications providers. The Sandworm group is known for its fileless attack met
CaddyWiper
4
CaddyWiper is a destructive malware, a type of malicious software designed to exploit and damage computer systems. It was one of several malwares deployed against Ukraine starting in January 2022 by the Russian Advanced Persistent Threat (APT) group, alongside others such as WhisperGate, HermeticWip
BlackEnergy
4
BlackEnergy is a potent malware toolkit that has been utilized by criminal and Advanced Persistent Threat (APT) actors since 2007. Its destructive capabilities were notably demonstrated in Ukraine where it was used for cyber-espionage, compromising industrial control systems, and launching attacks a
Industroyer2
3
Industroyer2 is a sophisticated piece of malware designed to target Industrial Control Systems (ICS), developed and deployed by the Russian state-sponsored advanced persistent threat group, Sandworm. The group has been active since 2007 and used Industroyer2 in a significant attack against Ukraine's
Crashoverride
2
CrashOverride, also known as Industroyer, is a notorious malware that was leveraged in 2016 to disrupt Ukraine's power grid at the transmission substation level. This malicious software, believed to be state-sponsored by Russia, manipulated Industrial Control Systems (ICS) equipment through the abus
Sandworm Team
2
The Sandworm Team, a threat actor associated with Russia's military intelligence-linked group, has demonstrated significant capabilities in developing custom malware to target Operational Technology (OT) and Industrial Control Systems (ICSs). Since at least 2015, the team has used the "BlackEnergy"
Cosmicenergy
1
CosmicEnergy is a form of malware allegedly originating from Russia that targets industrial control systems, specifically those associated with electrical grids. Unlike other forms of malware, CosmicEnergy lacks the built-in functionality to autonomously discover and identify target systems within a
Telebots
1
TeleBots, a notorious threat actor group also known as Sandworm, BlackEnergy, Iron Viking, Voodoo Bear, and Seashell Blizzard, has been identified as operating under the control of Unit 74455 of the Russian GRU's Main Center for Special Technologies (GTsST). Active since 2000, the group is recognize
Win32/exaramel
1
Win32/Exaramel is a type of malware, specifically a backdoor, that can infiltrate systems through suspicious downloads, emails, or websites. Once deployed by a dropper, it can exploit and damage the infected computer or device, potentially stealing personal information or disrupting operations. The
Pipedream
1
Pipedream, a highly sophisticated malware discovered in 2022, has been designed specifically to infiltrate and control Industrial Control Systems (ICS). Unlike previous ICS-specific malware that was limited to particular industrial segments, Pipedream exhibits versatility across various sectors. It
Lightwork
1
Lightwork is a disruptive malware tool written in C++, designed to manipulate the state of Remote Terminal Units (RTUs) over TCP using the IEC-104 protocol. It operates alongside another component called Piehop, both of which are part of a new malware system known as CosmicEnergy. According to cyber
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ics
Ukraine
Ransomware
Wiper
Backdoor
Dragos
Mandiant
exploitation
Eset
Russia
Exploit
Windows
State Sponso...
Sentinelone
russian
Reconnaissance
Ukraine’s
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
NotPetyais related to
4
NotPetya is a notorious malware that was unleashed in 2017, primarily targeting Ukraine but eventually impacting systems worldwide. This malicious software, which initially appeared to be ransomware, was later revealed to be data destructive malware, causing widespread disruption rather than seeking
StuxnetUnspecified
1
Stuxnet, a notorious malware discovered in 2010, is one of the most infamous Advanced Persistent Threat (APT) attacks in history. This military-grade cyberweapon was co-developed by the United States and Israel to specifically target Iran's nuclear enrichment facility at Natanz. The Stuxnet worm, a
TRITONUnspecified
1
Triton is a sophisticated malware that has been historically used to target the energy sector. It was notably used in 2017 by the Russian Central Scientific Research Institute of Chemistry and Mechanics (TsNIIkhM) to attack a Middle East petrochemical facility. The malware, also known as Trisis and
AcidpourUnspecified
1
AcidPour is a newly identified malware that has been specifically designed to target Linux x86 devices. As a wiper, AcidPour's primary function is to erase data from the infected device, leading to significant disruptions in operations and potential loss of valuable information. The malware infiltra
GreyEnergyUnspecified
1
GreyEnergy is a type of malware, or malicious software, designed to exploit and damage computer systems. It is believed to have been used in attacks on Ukraine's power grid in 2018 by the Russia-linked Advanced Persistent Threat (APT) group, Sandworm. Security firm WithSecure has identified overlaps
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Caddy WiperUnspecified
1
None
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Industroyer CrashoverrideUnspecified
1
None
Source Document References
Information about the Industroyer Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
2 months ago
Ukrainian Systems Hit by Cobalt Strike Via a Malicious Excel File
DARKReading
3 months ago
To Damage OT Systems, Hackers Tap USBs, Old Bugs & Malware
DARKReading
4 months ago
Russian APT Releases More Deadly Variant of AcidRain Wiper Malware
CERT-EU
5 months ago
Operational Technology Threats - ReliaQuest
CERT-EU
7 months ago
Analysis of OT cyberattacks and malwares
CERT-EU
8 months ago
Sandworm, a Russian Threat Actor, Disrupted Power in Ukraine Via Cyberattack
CERT-EU
9 months ago
Russian Hackers Sandworm Cause Power Outage in Ukraine Amidst Missile Strikes
InfoSecurity-magazine
9 months ago
Russian APT Sandworm Disrupted Power in Ukraine Using OT Techniques
DARKReading
9 months ago
Sandworm Cyberattackers Down Ukrainian Power Grid During Missile Strikes
CERT-EU
10 months ago
Is Future Escalation in Cyber Conflict a Foregone Conclusion?
CERT-EU
a year ago
Russian cyber war tactics continue to evolve, says SBU - TechCentral.ie
DARKReading
a year ago
A Brief History of ICS-Tailored Attacks
CERT-EU
a year ago
ESET Research Podcast: A year of fighting rockets, soldiers, and wipers in Ukraine
CERT-EU
a year ago
TETRA:BURST — 5 New Vulnerabilities Exposed in Widely Used Radio Communication System
CERT-EU
a year ago
Can Cyber Insurance Help Legally Codify an International Definition for Cyber War?
BankInfoSecurity
a year ago
Dutch Critical OT Systems Vulnerable to Hacks
CERT-EU
a year ago
What is Cyberwar?
CERT-EU
a year ago
CosmicEnergy ICS Malware Poses No Immediate Threat, but Should Not Be Ignored
CERT-EU
a year ago
COSMICENERGY Malware May be Artifact of Russian Emergency Response Exercises
CERT-EU
a year ago
CosmicEnergy’s threat to critical infrastructure in dispute