{
	"id": "b82e5b4a-9f96-46c1-8ac4-19b31acc1f45",
	"created_at": "2026-04-06T00:14:56.630519Z",
	"updated_at": "2026-04-10T03:22:09.466152Z",
	"deleted_at": null,
	"sha1_hash": "bbfa238d5fdfb411eab6ac67c7d07e08002cd163",
	"title": "Industroyer: Biggest threat to industrial control systems since Stuxnet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 172711,
	"plain_text": "Industroyer: Biggest threat to industrial control systems since\r\nStuxnet\r\nBy Anton CherepanovRobert Lipovsky\r\nArchived: 2026-04-05 14:30:56 UTC\r\nESET Research\r\nCritical Infrastructure\r\nUkraine Crisis – Digital Security Resource Center\r\nESET has analyzed a sophisticated and extremely dangerous malware, known as Industroyer, which is designed to\r\ndisrupt critical industrial processes.\r\n12 Jun 2017  •  , 5 min. read\r\nUpdate (July 17th): The authors of the Industroyer research, Anton Cherepanov and Robert Lipovsky, will present\r\ntheir findings at Black Hat USA in Las Vegas on July 26th, 2017. More information can be found here.\r\nThe 2016 attack on Ukraine’s power grid that deprived part of its capital, Kiev, of power for an hour was caused\r\nby a cyberattack. ESET researchers have since analyzed samples of malware, detected by ESET as\r\nWin32/Industroyer, capable of performing exactly that type of attack.\r\nWhether the same malware was really involved in what cybersecurity experts consider to have been a large-scale\r\ntest is yet to be confirmed. Regardless, the malware is capable of doing significant harm to electric power systems\r\nand could also be refitted to target other types of critical infrastructure.\r\nIndustroyer is a particularly dangerous threat, since it is capable of controlling electricity substation switches and\r\ncircuit breakers directly. To do so, it uses industrial communication protocols used worldwide in power supply\r\ninfrastructure, transportation control systems, and other critical infrastructure systems (such as water and gas).\r\nThese switches and circuit breakers are digital equivalents of analogue switches; technically they can be\r\nengineered to perform various functions. Thus, the potential impact may range from simply turning off power\r\ndistribution, cascading failures and more serious damage to equipment. The severity may also vary from one\r\nhttps://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/\r\nPage 1 of 4\n\nsubstation to another, as well. Needless to say, disruption of such systems can directly or indirectly affect the\r\nfunctioning of vital services.\r\nIndustroyer’s dangerousness lies in the fact that it uses protocols in the way they were designed to be used. The\r\nproblem is that these protocols were designed decades ago, and back then industrial systems were meant to be\r\nisolated from the outside world. Thus, their communication protocols were not designed with security in mind.\r\nThat means that the attackers didn’t need to be looking for protocol vulnerabilities; all they needed was to teach\r\nthe malware “to speak” those protocols.\r\nThe recent power outage occurred on December 17th, 2016, almost exactly one year after the well-documented\r\ncyberattack that caused a blackout that affected around 250,000 households in several regions in Ukraine on\r\nDecember 23rd, 2015.\r\nIn 2015, the perpetrators infiltrated the electricity distribution networks with the BlackEnergy malware, along with\r\nKillDisk and other malicious components, and then abused legitimate remote access software to control operators’\r\nworkstations and to cut off power. Aside from targeting the Ukrainian power grid, there are no apparent\r\nsimilarities in code between BlackEnergy and Industroyer.\r\nStructure and key functionalities\r\nIndustroyer is modular malware. Its core component is a backdoor used by attackers to manage the attack: it\r\ninstalls and controls the other components and connects to a remote server to receive commands and to report to\r\nthe attackers.\r\nWhat sets Industroyer apart from other malware targeting infrastructure is its use of four payload components,\r\nwhich are designed to gain direct control of switches and circuit breakers at an electricity distribution substation.\r\nEach of these components targets particular communication protocols specified in the following standards: IEC\r\n60870-5-101, IEC 60870-5-104, IEC 61850, and OLE for Process Control Data Access (OPC DA).\r\nGenerally, the payloads work in stages whose goals are mapping the network, and then figuring out and issuing\r\ncommands that will work with the specific industrial control devices. Industroyer’s payloads show the authors’\r\ndeep knowledge and understanding of industrial control systems.\r\nhttps://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/\r\nPage 2 of 4\n\nThe malware contains a few more features that are designed to enable it to remain under the radar, to ensure the\r\nmalware’s persistence, and to wipe all traces of itself after it has done its job.\r\nFor example, the communication with the C\u0026C servers hidden in Tor can be limited to non-working hours. Also,\r\nit employs an additional backdoor - masquerading as the Notepad application - designed to regain access to the\r\ntargeted network in case the main backdoor is detected and/or disabled.\r\nAnd its wiper module is designed to erase system-crucial Registry keys and overwrite files to make the system\r\nunbootable and the recovery harder. Of interest is the port scanner that maps the network, trying to find relevant\r\ncomputers: the attackers made their own custom tool instead of using existing software. Finally, yet another\r\nmodule is a Denial-of-Service tool that exploits the CVE-2015-5374 vulnerability in Siemens SIPROTEC devices\r\nand can render targeted devices unresponsive.\r\nConclusion\r\nIndustroyer is highly customizable malware. While being universal, in that it can be used to attack any industrial\r\ncontrol system using some of the targeted communication protocols, some of the components in analyzed samples\r\nwere designed to target particular hardware. For example, the wiper component and one of the payload\r\ncomponents are tailored for use against systems incorporating certain industrial power control products by ABB,\r\nand the DoS component works specifically against Siemens SIPROTECT devices used in electrical substations\r\nand other related fields of application.\r\nhttps://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/\r\nPage 3 of 4\n\nWhile in principle it’s difficult to attribute attacks to malware without performing an onsite incident response, it’s\r\nhighly probable that Industroyer was used in the December 2016 attack on the Ukrainian power grid. On top of\r\nthe fact that the malware clearly possesses the unique capabilities to perform the attack, it contains an activation\r\ntimestamp for December 17th, 2016, the day of the power outage.\r\nThe 2016 attack on the Ukrainian power grid attracted much less attention than the attack that occurred a year\r\nearlier. However, the tool most likely used, Win32/Industroyer, is an advanced piece of malware in the hands of a\r\nsophisticated and determined attacker.\r\nThanks to its ability to persist in the system and provide valuable information for tuning-up the highly\r\nconfigurable payloads, attackers could adapt the malware to any environment, which makes it extremely\r\ndangerous. Regardless of whether or not the recent attack on the Ukrainian power grid was a test, it should serve\r\nas a wake-up call for those responsible for security of critical systems around the world.\r\nAdditional technical details on the malware and Indicators of Compromise can be found in our comprehensive\r\nwhite paper, and on github. For any inquiries, or to make sample submissions related to the subject, contact us\r\nat: threatintel@eset.com.\r\nBEFORE YOU GO: Industroyer2: Industroyer reloaded \r\nSource: https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/\r\nhttps://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/"
	],
	"report_names": [
		"industroyer-biggest-threat-industrial-control-systems-since-stuxnet"
	],
	"threat_actors": [],
	"ts_created_at": 1775434496,
	"ts_updated_at": 1775791329,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bbfa238d5fdfb411eab6ac67c7d07e08002cd163.pdf",
		"text": "https://archive.orkl.eu/bbfa238d5fdfb411eab6ac67c7d07e08002cd163.txt",
		"img": "https://archive.orkl.eu/bbfa238d5fdfb411eab6ac67c7d07e08002cd163.jpg"
	}
}