Industroyer2

Malware Profile Updated 25 days ago
Download STIX
Preview STIX
Industroyer2 is a sophisticated piece of malware designed to target Industrial Control Systems (ICS), developed and deployed by the Russian state-sponsored advanced persistent threat group, Sandworm. The group has been active since 2007 and used Industroyer2 in a significant attack against Ukraine's electrical substation. This malware is highly configurable and hard-coded, storing its configuration separately and allowing for a range of parameters to be adjusted to suit the network being targeted. It was deployed as a single executable "108_100.exe" file via a scheduled task, demonstrating an advanced level of cyber warfare. In addition to Industroyer2, Sandworm also utilized other types of malware including CaddyWiper, AWFULSHRED, SOLOSHRED, and ORCSHRED. CaddyWiper and Industroyer2 were specifically used for targeting ICS networks, while ORCSHRED, SOLOSHRED, and AWFULSHRED were deployed against Linux and Solaris networks. These attacks are attributed to Sandworm due to the nearly identical deployment of RansomBoggs’ PowerShell script with that of Industroyer2. The severity of these threats led to international concern, with the UK government specifically naming Sandworm’s 'Industroyer2' malware as a strain of concern in November 2022. In response, they pledged to provide Ukraine with £6.35 million for cyber defense, which has since been increased to up to £25 million. Industroyer2 is the seventh known ICS-specific malware, following STUXNET, HAVEX, BLACKENERGY2, CRASHOVERRIDE, TRISIS, and Industroyer. Its recent discovery, along with other strains such as Incontroller and CosmicEnergy, indicates the evolving nature of state-sponsored cyber threats.
What's your take? (Question 1 of 5)
8bcc2719-80c4-47e6-b18b-9cc7fa34c83e Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Industroyer
3
Industroyer, also known as CrashOverride, is a potent form of malware designed to target Industrial Control Systems (ICS), particularly those used in electrical substations. Its functionality supports four critical industry protocols and has been notably deployed by the Russia-backed group Sandworm
Cosmicenergy
2
CosmicEnergy is a form of malware allegedly originating from Russia that targets industrial control systems, specifically those associated with electrical grids. Unlike other forms of malware, CosmicEnergy lacks the built-in functionality to autonomously discover and identify target systems within a
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ics
Malware
Ukraine
Wiper
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CaddyWiperUnspecified
4
CaddyWiper is a destructive malware, a type of malicious software designed to exploit and damage computer systems. It was one of several malwares deployed against Ukraine starting in January 2022 by the Russian Advanced Persistent Threat (APT) group, alongside others such as WhisperGate, HermeticWip
HermeticWiperUnspecified
2
HermeticWiper is a destructive malware that was first identified in cyber attacks against organizations in Ukraine on February 23, 2022. It was disclosed by several cybersecurity researchers including SentinelLabs, a leading cybersecurity firm. This malware is designed to infiltrate and destroy comp
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SandwormUnspecified
4
Sandworm is a threat actor, often linked to Russia, known for its high-profile cyber attacks. The group gained notoriety for compromising 11 Ukrainian telecommunications providers and infiltrating Ukraine's telecom giant Kyivstar for months. In addition, Sandworm was responsible for disrupting power
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Industroyer2 Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
APT Profile: Sandworm - SOCRadar® Cyber Intelligence Inc.
CERT-EU
5 months ago
Analysis of OT cyberattacks and malwares
Securelist
a year ago
Reassessing cyberwarfare. Lessons learned in 2022
CERT-EU
a year ago
CosmicEnergy’s threat to critical infrastructure in dispute
CERT-EU
a year ago
CosmicEnergy ICS Malware Poses No Immediate Threat, but Should Not Be Ignored
DARKReading
9 months ago
A Brief History of ICS-Tailored Attacks
ESET
a year ago
A year of wiper attacks in Ukraine | WeLiveSecurity
CERT-EU
a year ago
Cyberattacks on Industrial Control Systems Jumped in 2022
CERT-EU
a year ago
Britain to double cyber defense funding for Ukraine
Securityaffairs
9 months ago
Russia-linked hackers target Ukrainian military with Infamous Chisel Android malware
CERT-EU
9 months ago
Russian cyber war tactics continue to evolve, says SBU - TechCentral.ie
Securityaffairs
a year ago
Google TAG warns of Russia-linked APT groups targeting Ukraine
CERT-EU
a year ago
2022 a breakthrough year for malware targeting critical infrastructure
Securityaffairs
a year ago
Microsoft sheds light on a year of Russian hybrid warfare in Ukraine
Securityaffairs
a year ago
Leaked documents from Russian firm NTC Vulkan show Sandworm cyberwarfare arsenal
Securityaffairs
a year ago
Sandworm APT uses WinRAR in destructive attacks on Ukraine
CERT-EU
a year ago
Microsoft Digital Defense Report: Trends In Device and Infrastructure Attacks
Securityaffairs
a month ago
Previously unknown Kapeka backdoor linked to Sandworm APT
CSO Online
a year ago
APT groups use ransomware TTPs as cover for intelligence gathering and sabotage
Securityaffairs
7 months ago
Russia-linked Sandworm APT compromised 11 Ukrainian telecommunications providers