Industroyer2

Malware updated 5 months ago (2024-05-04T20:20:49.922Z)
Download STIX
Preview STIX
Industroyer2 is a sophisticated piece of malware designed to target Industrial Control Systems (ICS), developed and deployed by the Russian state-sponsored advanced persistent threat group, Sandworm. The group has been active since 2007 and used Industroyer2 in a significant attack against Ukraine's electrical substation. This malware is highly configurable and hard-coded, storing its configuration separately and allowing for a range of parameters to be adjusted to suit the network being targeted. It was deployed as a single executable "108_100.exe" file via a scheduled task, demonstrating an advanced level of cyber warfare. In addition to Industroyer2, Sandworm also utilized other types of malware including CaddyWiper, AWFULSHRED, SOLOSHRED, and ORCSHRED. CaddyWiper and Industroyer2 were specifically used for targeting ICS networks, while ORCSHRED, SOLOSHRED, and AWFULSHRED were deployed against Linux and Solaris networks. These attacks are attributed to Sandworm due to the nearly identical deployment of RansomBoggs’ PowerShell script with that of Industroyer2. The severity of these threats led to international concern, with the UK government specifically naming Sandworm’s 'Industroyer2' malware as a strain of concern in November 2022. In response, they pledged to provide Ukraine with £6.35 million for cyber defense, which has since been increased to up to £25 million. Industroyer2 is the seventh known ICS-specific malware, following STUXNET, HAVEX, BLACKENERGY2, CRASHOVERRIDE, TRISIS, and Industroyer. Its recent discovery, along with other strains such as Incontroller and CosmicEnergy, indicates the evolving nature of state-sponsored cyber threats.
Description last updated: 2024-04-18T15:16:11.180Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Industroyer is a possible alias for Industroyer2. Industroyer, also known as CrashOverride, is a potent malware specifically designed to target Industrial Control Systems (ICS) used in electrical substations. It first gained notoriety for its role in the 2016 cyberattack on Ukraine's power grid, which resulted in a six-hour blackout in Kyiv. The ma
3
Cosmicenergy is a possible alias for Industroyer2. CosmicEnergy is a form of malware allegedly originating from Russia that targets industrial control systems, specifically those associated with electrical grids. Unlike other forms of malware, CosmicEnergy lacks the built-in functionality to autonomously discover and identify target systems within a
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ics
Malware
Ukraine
Wiper
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The CaddyWiper Malware is associated with Industroyer2. CaddyWiper is a destructive malware, a type of malicious software designed to exploit and damage computer systems. It was one of several malwares deployed against Ukraine starting in January 2022 by the Russian Advanced Persistent Threat (APT) group, alongside others such as WhisperGate, HermeticWipUnspecified
4
The HermeticWiper Malware is associated with Industroyer2. HermeticWiper is a destructive malware that was first disclosed by cybersecurity researchers on February 23, 2022. This malicious software was deployed against organizations in Ukraine, with the intent of destroying computer systems and rendering them inoperable. The malware infiltrates systems throUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Sandworm Threat Actor is associated with Industroyer2. Sandworm, also known as APT44, is a Russia-linked threat actor that has been implicated in several major cyberattacks. This group has been particularly active against targets in Ukraine and Poland, with significant operations including the compromise of 11 Ukrainian telecommunications providers, whiUnspecified
4
Source Document References
Information about the Industroyer2 Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
6 months ago
CERT-EU
a year ago
CERT-EU
9 months ago
Securityaffairs
9 months ago
BankInfoSecurity
a year ago
Securityaffairs
a year ago
Securityaffairs
a year ago
CERT-EU
a year ago
ESET
2 years ago
Securityaffairs
a year ago
DARKReading
a year ago
CSO Online
2 years ago
ESET
2 years ago
CERT-EU
2 years ago
CERT-EU
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago
Securityaffairs
a year ago
Securityaffairs
2 years ago
CERT-EU
a year ago