Industroyer is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.[1] Industroyer was used in the attacks on the Ukrainian power grid in December 2016.[2] This is the first publicly known malware specifically designed to target and impact operations in the electric grid.[3]

ID: S0604
Associated Software: CRASHOVERRIDE, Win32/Industroyer
Platforms: Windows
Version: 1.0
Created: 04 January 2021
Last Modified: 13 October 2021

Associated Software Descriptions

Name Description




Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Industroyer’s main backdoor connected to a remote C2 server using HTTPS.[1]

Enterprise T1554 Compromise Client Software Binary

Industroyer has used a Trojanized version of the Windows Notepad application for an additional backdoor persistence mechanism.[1]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Industroyer can use an arbitrary system service to load at system boot for persistence and replaces the ImagePath registry value of a Windows service with a new backdoor binary.[2]

Enterprise T1485 Data Destruction

Industroyer’s data wiper module clears registry keys and overwrites both ICS configuration and Windows files.[2]

Enterprise T1140 Deobfuscate/Decode Files or Information

Industroyer decrypts code to connect to a remote C2 server.[1]

Enterprise T1499 .004 Endpoint Denial of Service: Application or System Exploitation

Industroyer uses a custom DoS tool that leverages CVE-2015-5374 and targets hardcoded IP addresses of Siemens SIPROTEC devices.[1]

Enterprise T1041 Exfiltration Over C2 Channel

Industroyer sends information about hardware profiles and previously-received commands back to the C2 server in a POST-request.[1]

Enterprise T1083 File and Directory Discovery

Industroyer’s data wiper component enumerates specific files on all the Windows drives.[1]

Enterprise T1105 Ingress Tool Transfer

Industroyer downloads a shellcode payload from a remote C2 server and loads it into memory.[1]

Enterprise T1046 Network Service Scanning

Industroyer uses a custom port scanner to map out a network.[1]

Enterprise T1027 Obfuscated Files or Information

Industroyer uses heavily obfuscated code in its Windows Notepad backdoor.[1]

Enterprise T1572 Protocol Tunneling

Industroyer attempts to perform an HTTP CONNECT via an internal proxy to establish a tunnel.[2]

Enterprise T1090 .003 Proxy: Multi-hop Proxy

Industroyer used Tor nodes for C2.[2]

Enterprise T1012 Query Registry

Industroyer has a data wiper component that enumerates keys in the Registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.[1]

Enterprise T1018 Remote System Discovery

Industroyer can enumerate remote computers in the compromised network.[1]

Enterprise T1489 Service Stop

Industroyer’s data wiper module writes zeros into the registry keys in SYSTEM\CurrentControlSet\Services to render a system inoperable.[2]

Enterprise T1082 System Information Discovery

Industroyer collects the victim machine’s Windows GUID.[2]

Enterprise T1016 System Network Configuration Discovery

Industroyer’s 61850 payload component enumerates connected network adapters and their corresponding IP addresses.[1]

Enterprise T1078 Valid Accounts

Industroyer can use supplied user credentials to execute processes and stop services.[1]

Groups That Use This Software

ID Name References
G0034 Sandworm Team