HOME

TheInfoList



Click Here for Items Related To - Industroyer
OR:
Industroyer on:   [Wikipedia]   [Google]   [Amazon]

Industroyer (also referred to as Crashoverride) is a
malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...
framework considered to have been used in the cyberattack on
Ukraine Ukraine ( uk, Україна, Ukraïna, ) is a country in Eastern Europe. It is the second-largest European country after Russia, which it borders to the east and northeast. Ukraine covers approximately . Prior to the ongoing Russian inv ...
’s power grid on December 17, 2016. The attack cut a fifth of
Kyiv Kyiv, also spelled Kiev, is the capital and most populous city of Ukraine. It is in north-central Ukraine along the Dnieper, Dnieper River. As of 1 January 2021, its population was 2,962,180, making Kyiv the List of European cities by populat ...
, the capital, off power for one hour and is considered to have been a large-scale test. The Kyiv incident was the second cyberattack on Ukraine's power grid in two years. The first attack occurred on December 23, 2015. Industroyer is the first ever known malware specifically designed to attack
electrical grid An electrical grid is an interconnected network for electricity delivery from producers to consumers. Electrical grids vary in size and can cover whole countries or continents. It consists of:Kaplan, S. M. (2009). Smart Grid. Electrical Power ...
s. At the same time, it is the fourth malware publicly revealed to target
industrial control systems An industrial control system (ICS) is an electronic control system and associated instrumentation used for Process control, industrial process control. Control systems can range in size from a few modular panel-mounted controllers to large inter ...
, after
Stuxnet Stuxnet is a malicious computer worm first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition ( SCADA) systems and is believed to be responsible for causing su ...
,
Havex Havex malware, also known as Backdoor.Oldrea, is a RAT employed by the Russian attributed APT group “Energetic Bear” or “Dragonfly." Havex was discovered in 2013 and is one of five known ICS tailored malware developed in the past decade. Th ...
, and
BlackEnergy BlackEnergy Malware was first reported in 2007 as an HTTP-based toolkit that generated bots to execute distributed denial of service attacks. In 2010, BlackEnergy 2 emerged with capabilities beyond DDoS. In 2014, BlackEnergy 3 came equipped with a v ...
.


Discovery and naming

The malware was discovered by Slovak internet security company ESET. ESET and most of the cybersecurity companies detect it under the name “Industroyer”. Cybersecurity firm Dragos named the malware “Crashoverride”. In 2022, the Russian hacker group Sandworm initiated a blackout in Ukraine using a variant of Industroyer aptly dubbed Industroyer2.


Description

The detailed analysis of Industroyer revealed that the malware was designed to disrupt the working processes of industrial control systems, specifically those used in
electrical substation A substation is a part of an electrical generation, transmission, and distribution system. Substations transform voltage from high to low, or the reverse, or perform any of several other important functions. Between the generating station and ...
s. Industroyer is modular malware; its main components are the following: *A main
backdoor A back door is a door in the rear of a building. Back door may also refer to: Arts and media * Back Door (jazz trio), a British group * Porta dos Fundos (literally “Back Door” in Portuguese) Brazilian comedy YouTube channel. * Works so title ...
is used to control all other components of the malware. It connects to its remote Command & Control servers in order to receive commands from the attackers. *An additional backdoor provides an alternative persistence mechanism that allows the attackers to regain access to a targeted network in case the main backdoor is detected and/or disabled. *A launcher component is a separate executable responsible for launching the payload components and the data wiper component. The launcher component contains a specific activation time and date; analyzed samples contained two dates: December 17, 2016 and December 20, 2016. (Note: the former date was the date the attack actually went ahead.) *Four
payload Payload is the object or the entity which is being carried by an aircraft or launch vehicle. Sometimes payload also refers to the carrying capacity of an aircraft or launch vehicle, usually measured in terms of weight. Depending on the nature of ...
components target particular industrial
communication protocols A communication protocol is a system of rules that allows two or more entities of a communications system to transmit information via any kind of variation of a physical quantity. The protocol defines the rules, syntax, semantics and synchron ...
specified in the following standards: IEC 60870-5-101,
IEC 60870-5-104 IEC 60870 part 5 Gordon R. Clarke et al, ''Practical modern SCADA protocols: DNP3, 60870.5 and related systems'', Newnes, 2004 is one of the IEC 60870 set of standards which define systems used for telecontrol (supervisory control and data acquis ...
,
IEC 61850 IEC 61850 is an international standard defining communication protocols for intelligent electronic devices at electrical substations. It is a part of the International Electrotechnical Commission's (IEC) Technical Committee 57 reference archit ...
, and OLE for Process Control Data Access (OPC Data Access). The functionalities of the payload components include mapping the network, and then issuing commands to the specific industrial control devices. *A data wiper component is designed to erase system-crucial
Registry keys The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and u ...
and overwrite files to make the system unbootable and recovery from the attack harder.


See also

*
Control system security Industrial Control System (ICS) Cybersecurity is the prevention of (intentional or unintentional) interference with the proper operation of industrial automation and control systems. These control systems manage essential services including electric ...
*
Cyberwarfare Cyberwarfare is the use of cyber attacks against an enemy state, causing comparable harm to actual warfare and/or disrupting vital computer systems. Some intended outcomes could be espionage, sabotage, propaganda, manipulation or economic war ...
* Ukraine power grid hack * Pipedream (toolkit)


References


Further reading

* ENISA *U.S. DEPARTMENT OF HOMELAND SECURITY *{{cite web , url = https://www.wired.com/story/russian-hackers-attack-ukraine/ , title = How an Entire Nation Became Russia's Test Lab For Cyberwar , author = Andy Greenberg , publisher = Wired , date = 2017-06-20 Windows trojans Cyberattacks on energy sector Hacking in the 2010s 2016 crimes in Ukraine Malware targeting industrial control systems