{ "id": "5f593d39-731e-44d0-a80d-664a0133ddcc", "created_at": "2026-04-06T00:06:17.258805Z", "updated_at": "2026-04-10T03:37:08.541983Z", "deleted_at": null, "sha1_hash": "dba94cfef9b611c12d2f0b4ec8a9a1f11ce78e9a", "title": "Industroyer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 93742, "plain_text": "Industroyer\r\nBy Contributors to Wikimedia projects\r\nPublished: 2017-07-04 · Archived: 2026-04-05 13:07:43 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nIndustroyer[1] (also referred to as Crashoverride) is a malware framework considered to have been used in the\r\ncyberattack on Ukraine's power grid on 17 December 2016.[2][3][4] The attack cut a fifth of Kyiv, the capital, off\r\npower for one hour and is considered to have been a large-scale test.[5][6] The Kyiv incident was the second\r\ncyberattack on Ukraine's power grid in two years. The first attack occurred on 23 December 2015.[7] Industroyer\r\nis the first ever known malware specifically designed to attack electrical grids.\r\n[8]\r\n At the same time, it is the fourth\r\nmalware publicly revealed to target industrial control systems, after Stuxnet, Havex, and BlackEnergy.\r\nDiscovery and naming\r\n[edit]\r\nThe malware was discovered by Slovak internet security company ESET. ESET and most of the cybersecurity\r\ncompanies detect it under the name \"Industroyer\".[9][10] Cybersecurity firm Dragos named the malware\r\n\"Crashoverride\".[8] In 2022, the Russian hacker group Sandworm initiated a blackout in Ukraine using a variant of\r\nIndustroyer aptly dubbed Industroyer2.[11]\r\nThe detailed analysis of Industroyer[12] revealed that the malware was designed to disrupt the working processes\r\nof industrial control systems, specifically those used in electrical substations. Industroyer is modular malware; its\r\nmain components are the following:\r\nA main backdoor is used to control all other components of the malware. It connects to its remote\r\nCommand \u0026 Control servers in order to receive commands from the attackers.\r\nAn additional backdoor provides an alternative persistence mechanism that allows the attackers to regain\r\naccess to a targeted network in case the main backdoor is detected and/or disabled.\r\nA launcher component is a separate executable responsible for launching the payload components and the\r\ndata wiper component. The launcher component contains a specific activation time and date; analyzed\r\nsamples contained two dates: 17 December 2016 and 20 December 2016. (Note: the former date was the\r\ndate the attack actually went ahead.)\r\nFour payload components target particular industrial communication protocols specified in the following\r\nstandards: IEC 60870-5-101, IEC 60870-5-104, IEC 61850, and OLE for Process Control Data Access\r\n(OPC Data Access). The functionalities of the payload components include mapping the network, and then\r\nissuing commands to the specific industrial control devices.\r\nA data wiper component is designed to erase system-crucial Registry keys and overwrite files to make the\r\nsystem unbootable and recovery from the attack harder.\r\nhttps://en.wikipedia.org/wiki/Industroyer\r\nPage 1 of 3\n\nControl system security\r\nCyberwarfare\r\nUkraine power grid hack\r\nPipedream (toolkit)\r\n1. ^ Spanish Video CCN-CERT STICS Conference 2017. \"Video-Youtube\" – via YouTube. {{cite web}} :\r\nCS1 maint: numeric names: authors list (link)\r\n2. ^ \"NPC Ukrenergo official statement\". 18 December 2016 – via Facebook.\r\n3. ^ Pavel Polityuk, Oleg Vukmanovic and Stephen Jewkes (18 January 2017). \"Ukraine's power outage was\r\na cyber attack: Ukrenergo\". Reuters.\r\n4. ^ Cherepanov, Anton (17 June 2017). \"Industroyer: Biggest threat to industrial control systems since\r\nStuxnet\". welivesecurity.com. ESET.\r\n5. ^ Zetter, Kim (17 January 2017). \"The Ukrainian Power Grid Was Hacked Again\". Motherboard.\r\n6. ^ \"'Crash Override': The Malware That Took Down a Power Grid\". WIRED. Retrieved 22 January 2018.\r\n7. ^ \"Ongoing Sophisticated Malware Campaign Compromising ICS (Update E) | ICS-CERT\". ics-cert.us-cert.gov. Retrieved 22 January 2018.\r\n8. ^ Jump up to: a\r\n \r\nb\r\n Dragos Inc. (12 June 2017). \"CRASHOVERRIDE Analysis of the Threat to Electric Grid\r\nOperations\" (PDF). Dragos.\r\n9. ^ \"Industroyer main backdoor detections\". Virustotal. 27 June 2017.\r\n10. ^ \"Industroyer data wiper component detections\". Virustotal. 27 June 2017.\r\n11. ^ Greenberg, Andy. \"Russia's Sandworm Hackers Attempted a Third Blackout in Ukraine\". Wired.\r\nISSN 1059-1028. Retrieved 13 April 2022.\r\n12. ^ Cherepanov, Anton (12 June 2017). \"WIN32/INDUSTROYER A new threat for industrial control\r\nsystems\" (PDF). welivesecurity.com. ESET.\r\nENISA \"Protecting Industrial Control Systems. Recommendations for Europe and Member States\". 14\r\nDecember 2011.\r\nU.S. DEPARTMENT OF HOMELAND SECURITY \"Recommended Practice: Developing an Industrial\r\nControl Systems, Cybersecurity Incident Response Capability\" (PDF). 1 October 2009.\r\nAndy Greenberg (20 June 2017). \"How an Entire Nation Became Russia's Test Lab For Cyberwar\". Wired.\r\nMichael McFail; Jordan Hanna; Daniel Rebori-Carretero (December 2021). \"Detection Engineering in\r\nIndustrial Control Systems- Ukraine 2016 Attack: Sandworm Team and Industroyer Case Study\". mitre.org.\r\nMITRE.\r\nCategories:\r\nWindows trojans\r\nCyberattacks on energy sector\r\n2010s in hacking\r\n2016 crimes in Ukraine\r\nMalware targeting industrial control systems\r\nhttps://en.wikipedia.org/wiki/Industroyer\r\nPage 2 of 3\n\nSource: https://en.wikipedia.org/wiki/Industroyer\r\nhttps://en.wikipedia.org/wiki/Industroyer\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://en.wikipedia.org/wiki/Industroyer" ], "report_names": [ "Industroyer" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775433977, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dba94cfef9b611c12d2f0b4ec8a9a1f11ce78e9a.pdf", "text": "https://archive.orkl.eu/dba94cfef9b611c12d2f0b4ec8a9a1f11ce78e9a.txt", "img": "https://archive.orkl.eu/dba94cfef9b611c12d2f0b4ec8a9a1f11ce78e9a.jpg" } }