Connect with us

Hi, what are you looking for?



‘Industroyer’ ICS Malware Linked to Ukraine Power Grid Attack

Industroyer/CRASHOVERRIDE malware targets electrical substations - Photo Credit: Idaho National Laboratory

Researchers have conducted a detailed analysis of a piece of malware that appears to have been specially designed for cyberattacks targeting power grids. The malware is believed to have been used in the December 2016 attack aimed at an electrical substation in Ukraine.

The malware was discovered by ESET, which has dubbed it Industroyer. The company has also shared some data with ICS cybersecurity company Dragos, which tracks it as CRASHOVERRIDE and the threat actor that uses it as ELECTRUM.

Links to Ukraine power grid attacks

Malware designed to specifically target industrial control systems (ICS) is rare – Industroyer is only the fourth such threat known to the cybersecurity community. The other ICS-tailored malware families are Stuxnet, used in the 2010 attack targeting Iranian nuclear facilities, BlackEnergy, used in the December 2015 Ukraine power grid attacks, and Havex, used mainly against organizations in Europe.

While they could not confirm that Industroyer/CRASHOVERRIDE was the direct cause of the 2016 power outages in Ukraine’s Kiev region, which are believed by many to be the work of Russia, both ESET and Dragos – based on compilation dates and other data – are fairly confident that this is the malware used in the attack.

Dragos believes the ELECTRUM actor has direct ties to the BlackEnergy (Sandworm) group, and ESET pointed out that while there are no code similarities between the malware used in the 2015 and 2016 Ukraine attacks, some components are similar in concept.

Attack scenarios

Advertisement. Scroll to continue reading.

Industroyer has been described as a sophisticated modular malware that has several components: a backdoor, a launcher, a data wiper, various tools, and at least four payloads. These payloads are the most interesting component as they allow the malware’s operators to control electric circuit breakers.

In one theoretical attack scenario described by Dragos in its report, malicious actors use the malware to open closed breakers in an infinite loop, causing the substation to de-energize. By executing commands in an infinite loop, the attackers ensure that operators of the targeted facility cannot close the breakers from the HMI. This can require operators to interrupt communications with the substation and manually address the issue, which could result in an outage that lasts for a few hours.

In another scenario described by researchers, the attackers initiate an infinite loop where breakers continually open and close, which can trigger protections and cause the substation to go offline. Experts believe that launching such an attack in a coordinated fashion against multiple sites could result in outages that last for a few days.

Industroyer/CRASHOVERRIDE components

The malware’s main backdoor component allows attackers to execute various commands on the infected system. It communicates with its command and control (C&C) servers over the Tor network and it can be programmed to be active only at specified times, which are likely mechanisms for avoiding detection.

This component also deploys a secondary backdoor disguised as a trojanized version of the Windows Notepad application. The main backdoor is also responsible for installing the launcher component, which initiates the wiper and the payloads.

Learn More at SecurityWeek’s ICS Cyber Security Conference

The wiper is apparently designed for the final stages of the attack to help the attackers hide their tracks and make it more difficult to restore affected systems. This includes clearing registry keys, and overwriting ICS configuration and Windows files.

The payloads, which allow attackers to control circuit breakers, leverage industrial communication protocols. This suggests that at least some of the malware’s developers have a deep understanding of power grid operations and industrial network communications.

Other tools tied to the Industroyer malware include a custom-built port scanner and a denial-of-service (DoS) tool that exploits CVE-2015-5374 to cause Siemens SIPROTEC relays to become unresponsive.

While the samples analyzed by ESET and Dragos can be used to target other energy organizations in Europe and some parts of the Middle East, the malware could also be adapted for attacks targeting the North American grid.

Researchers at Dragos pointed out that while CRASHOVERRIDE appears to be designed to specifically target the energy sector, attackers could create new modules for other types of targets.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.