Industroyer
Industroyer is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.[1] Industroyer was used in the attacks on the Ukrainian power grid in December 2016.[2] This is the first publicly known malware specifically designed to target and impact operations in the electric grid.[3]
Associated Software Descriptions
| Name | Description |
|---|---|
| CRASHOVERRIDE | |
| Win32/Industroyer |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Industroyer’s main backdoor connected to a remote C2 server using HTTPS.[1] |
| Enterprise | T1554 | Compromise Client Software Binary |
Industroyer has used a Trojanized version of the Windows Notepad application for an additional backdoor persistence mechanism.[1] |
|
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Industroyer can use an arbitrary system service to load at system boot for persistence and replaces the ImagePath registry value of a Windows service with a new backdoor binary.[2] |
| Enterprise | T1485 | Data Destruction |
Industroyer’s data wiper module clears registry keys and overwrites both ICS configuration and Windows files.[2] |
|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Industroyer decrypts code to connect to a remote C2 server.[1] |
|
| Enterprise | T1499 | .004 | Endpoint Denial of Service: Application or System Exploitation |
Industroyer uses a custom DoS tool that leverages CVE-2015-5374 and targets hardcoded IP addresses of Siemens SIPROTEC devices.[1] |
| Enterprise | T1041 | Exfiltration Over C2 Channel |
Industroyer sends information about hardware profiles and previously-received commands back to the C2 server in a POST-request.[1] |
|
| Enterprise | T1083 | File and Directory Discovery |
Industroyer’s data wiper component enumerates specific files on all the Windows drives.[1] |
|
| Enterprise | T1105 | Ingress Tool Transfer |
Industroyer downloads a shellcode payload from a remote C2 server and loads it into memory.[1] |
|
| Enterprise | T1046 | Network Service Scanning |
Industroyer uses a custom port scanner to map out a network.[1] |
|
| Enterprise | T1027 | Obfuscated Files or Information |
Industroyer uses heavily obfuscated code in its Windows Notepad backdoor.[1] |
|
| Enterprise | T1572 | Protocol Tunneling |
Industroyer attempts to perform an HTTP CONNECT via an internal proxy to establish a tunnel.[2] |
|
| Enterprise | T1090 | .003 | Proxy: Multi-hop Proxy |
Industroyer used Tor nodes for C2.[2] |
| Enterprise | T1012 | Query Registry |
Industroyer has a data wiper component that enumerates keys in the Registry |
|
| Enterprise | T1018 | Remote System Discovery |
Industroyer can enumerate remote computers in the compromised network.[1] |
|
| Enterprise | T1489 | Service Stop |
Industroyer’s data wiper module writes zeros into the registry keys in |
|
| Enterprise | T1082 | System Information Discovery |
Industroyer collects the victim machine’s Windows GUID.[2] |
|
| Enterprise | T1016 | System Network Configuration Discovery |
Industroyer’s 61850 payload component enumerates connected network adapters and their corresponding IP addresses.[1] |
|
| Enterprise | T1078 | Valid Accounts |
Industroyer can use supplied user credentials to execute processes and stop services.[1] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0034 | Sandworm Team |