Industroyer2

Industroyer2 is a compiled and static piece of malware that has the ability to communicate over the IEC-104 protocol. It is similar to the IEC-104 module found in Industroyer. Security researchers assess that Industroyer2 was designed to cause impact to high-voltage electrical substations. The initial Industroyer2 sample was compiled on 03/23/2022 and scheduled to execute on 04/08/2022, however it was discovered before deploying, resulting in no impact.[1]

ID: S1072
Type: MALWARE
Platforms: Field Controller/RTU/PLC/IED, Engineering Workstation
Version: 1.0
Created: 30 March 2023
Last Modified: 06 April 2023

Techniques Used

Domain ID Name Use
Enterprise T1057 Process Discovery

Industroyer2 has the ability to cyclically enumerate running processes such as PServiceControl.exe, PService_PDD.exe, and other targets supplied through a hardcoded configuration.[2]

ICS T0802 Automated Collection

Industroyer2 leverages a hardcoded list of remote-station IP addresses to iteratively initiate communications and collect information across multiple priority IEC-104 priority levels.[3]

ICS T0806 Brute Force I/O

Industroyer2 can iterate across a device’s IOAs to modify the ON/OFF value of a given IO state.[2][3]

ICS T0836 Modify Parameter

Industroyer2 modifies specified Information Object Addresses (IOAs) for specified Application Service Data Unit (ASDU) addresses to either the ON or OFF state.[2][3]

ICS T0801 Monitor Process State

Industroyer2 uses a General Interrogation command to monitor the device’s Information Object Addresses (IOAs) and their IO state values.[3]

ICS T0888 Remote System Information Discovery

Industroyer2 has the capability to poll a target device about its connection status, data transfer status, Common Address (CA), Information Object Addresses (IOAs), and IO state values across multiple priority levels.[3][4]

ICS T0881 Service Stop

Industroyer2 has the capability to terminate specified processes (i.e., PServiceControl.exe and PService_PDD.exe) and rename each process to prevent restart. These are defined through a hardcoded configuration.[2]

ICS T0855 Unauthorized Command Message

Industroyer2 is capable of sending command messages from the compromised device to target remote stations to open data channels, retrieve the location and values of Information Object Addresses (IOAs), and modify the IO state values through Select Before Operate I/O, Select/Execute, and Invert Default State operations.[2][3]

Groups That Use This Software

ID Name References
G0034 Sandworm Team

[4]

References