Industroyer

Malware updated 15 days ago (2024-11-29T14:27:53.086Z)
Download STIX
Preview STIX
Industroyer, also known as CrashOverride, is a potent malware specifically designed to target Industrial Control Systems (ICS) used in electrical substations. It first gained notoriety for its role in the 2016 cyberattack on Ukraine's power grid, which resulted in a six-hour blackout in Kyiv. The malware, attributed to the Russia-backed Sandworm group, was later leveraged in 2018 against Ukrainian government agencies and in a highly destructive attack prior to Russia's invasion of Ukraine in 2022. This version of Industroyer was customized to target high-voltage electrical substations, though it remains unclear how initial access was achieved. ESET's analysis of a backdoor utilized by TeleBots, the group responsible for the widespread NotPetya ransomware outbreak, revealed strong code similarities with the main Industroyer backdoor. This provided the first public evidence linking Industroyer to TeleBots, and consequently to NotPetya and BlackEnergy. The primary difference between the Industroyer toolset's backdoor and the new TeleBots backdoor is that the latter uses XML format for communication and configuration, rather than a custom binary format. In conjunction with the deployment of Industroyer 2 within the ICS network during the 2022 attacks, an updated variant of CaddyWiper malware was introduced. Both Industroyer 2 and CaddyWiper have been used by Russia-backed state groups in destructive attacks on organizations in Ukraine. Additionally, Industroyer shares similarities with CosmicEnergy, another operational technology malware that targets ICS and primarily focuses on disrupting electrical grids by interacting with the IEC-104 protocol.
Description last updated: 2024-06-05T03:15:36.237Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Sandworm is a possible alias for Industroyer. Sandworm, a threat actor linked to Russia, has been identified as the primary cyber attack unit supporting Russian military activities in Ukraine. This group is notorious for its sophisticated and disruptive cyber attacks, including the compromise of 11 Ukrainian telecommunications providers which c
6
CaddyWiper is a possible alias for Industroyer. CaddyWiper is a destructive malware, a type of malicious software designed to exploit and damage computer systems. It was one of several malwares deployed against Ukraine starting in January 2022 by the Russian Advanced Persistent Threat (APT) group, alongside others such as WhisperGate, HermeticWip
4
BlackEnergy is a possible alias for Industroyer. BlackEnergy is a potent malware toolkit that has been utilized by criminal and Advanced Persistent Threat (APT) actors since 2007. Its destructive capabilities were notably demonstrated in Ukraine where it was used for cyber-espionage, compromising industrial control systems, and launching attacks a
4
Industroyer2 is a possible alias for Industroyer. Industroyer2 is a sophisticated piece of malware designed to target Industrial Control Systems (ICS), developed and deployed by the Russian state-sponsored advanced persistent threat group, Sandworm. The group has been active since 2007 and used Industroyer2 in a significant attack against Ukraine's
3
Sandworm Team is a possible alias for Industroyer. The Sandworm Team, a threat actor associated with Russia's military intelligence-linked group, has demonstrated significant capabilities in developing custom malware to target Operational Technology (OT) and Industrial Control Systems (ICSs). Since at least 2015, the team has used the "BlackEnergy"
2
Crashoverride is a possible alias for Industroyer. CrashOverride, also known as Industroyer, is a notorious malware that was leveraged in 2016 to disrupt Ukraine's power grid at the transmission substation level. This malicious software, believed to be state-sponsored by Russia, manipulated Industrial Control Systems (ICS) equipment through the abus
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ics
Ransomware
Ukraine
Wiper
Backdoor
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The NotPetya Malware is associated with Industroyer. NotPetya is a destructive malware that posed as ransomware, causing significant global damage in 2017. Despite its appearance as ransomware, NotPetya was not designed to extort money but rather to destroy data and disrupt operations, particularly targeting Ukraine's infrastructure. NotPetya was attris related to
4
Source Document References
Information about the Industroyer Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
6 months ago
DARKReading
7 months ago
DARKReading
9 months ago
CERT-EU
9 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
DARKReading
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago