Industroyer[1] (also referred to as Crashoverride) is a malware framework considered to have been used in the cyberattack on Ukraine’s power grid on December 17, 2016. [2][3][4] The attack cut a fifth of Kyiv, the capital, off power for one hour and is considered to have been a large-scale test. [5][6] The Kyiv incident was the second cyberattack on Ukraine's power grid in two years. The first attack occurred on December 23, 2015.[7] Industroyer is the first ever known malware specifically designed to attack electrical grids. [8] At the same time, it is the fourth malware publicly revealed to target industrial control systems, after Stuxnet, Havex, and BlackEnergy.
The malware was discovered by Slovak internet security company ESET. ESET and most of the cybersecurity companies detect it under the name “Industroyer”.[9][10] Cybersecurity firm Dragos named the malware “Crashoverride”. [8] In 2022, the Russian hacker group Sandworm initiated a blackout in Ukraine using a variant of Industroyer aptly dubbed Industroyer2.[11]
Descriptionedit
The detailed analysis of Industroyer [12] revealed that the malware was designed to disrupt the working processes of industrial control systems, specifically those used in electrical substations. Industroyer is modular malware; its main components are the following:
A main backdoor is used to control all other components of the malware. It connects to its remote Command & Control servers in order to receive commands from the attackers.
An additional backdoor provides an alternative persistence mechanism that allows the attackers to regain access to a targeted network in case the main backdoor is detected and/or disabled.
A launcher component is a separate executable responsible for launching the payload components and the data wiper component. The launcher component contains a specific activation time and date; analyzed samples contained two dates: December 17, 2016 and December 20, 2016. (Note: the former date was the date the attack actually went ahead.)
Four payload components target particular industrial communication protocols specified in the following standards: IEC 60870-5-101, IEC 60870-5-104, IEC 61850, and OLE for Process Control Data Access (OPC Data Access). The functionalities of the payload components include mapping the network, and then issuing commands to the specific industrial control devices.
A data wiper component is designed to erase system-crucial Registry keys and overwrite files to make the system unbootable and recovery from the attack harder.
^ abDragos Inc. (12 June 2017). "CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations" (PDF). Dragos.
^"Industroyer main backdoor detections". Virustotal. 27 June 2017.
^"Industroyer data wiper component detections". Virustotal. 27 June 2017.
^Greenberg, Andy. "Russia's Sandworm Hackers Attempted a Third Blackout in Ukraine". Wired. ISSN 1059-1028. Retrieved 13 April 2022.
^Cherepanov, Anton (12 June 2017). "WIN32/INDUSTROYER A new threat for industrial control systems" (PDF). www.welivesecurity.com. ESET.
Further readingedit
ENISA "Protecting Industrial Control Systems. Recommendations for Europe and Member States". 14 December 2011.
U.S. DEPARTMENT OF HOMELAND SECURITY "Recommended Practice: Developing an Industrial Control Systems, Cybersecurity Incident Response Capability" (PDF). 1 October 2009.
Andy Greenberg (20 June 2017). "How an Entire Nation Became Russia's Test Lab For Cyberwar". Wired.
Michael McFail; Jordan Hanna; Daniel Rebori-Carretero (December 2021). "Detection Engineering in Industrial Control Systems- Ukraine 2016 Attack: Sandworm Team and Industroyer Case Study". mitre.org. MITRE.
April 12, 2024
industroyer, also, referred, crashoverride, malware, framework, considered, have, been, used, cyberattack, ukraine, power, grid, december, 2016, attack, fifth, kyiv, capital, power, hour, considered, have, been, large, scale, test, kyiv, incident, second, cybe. Industroyer 1 also referred to as Crashoverride is a malware framework considered to have been used in the cyberattack on Ukraine s power grid on December 17 2016 2 3 4 The attack cut a fifth of Kyiv the capital off power for one hour and is considered to have been a large scale test 5 6 The Kyiv incident was the second cyberattack on Ukraine s power grid in two years The first attack occurred on December 23 2015 7 Industroyer is the first ever known malware specifically designed to attack electrical grids 8 At the same time it is the fourth malware publicly revealed to target industrial control systems after Stuxnet Havex and BlackEnergy Contents 1 Discovery and naming 2 Description 3 See also 4 References 5 Further readingDiscovery and naming editThe malware was discovered by Slovak internet security company ESET ESET and most of the cybersecurity companies detect it under the name Industroyer 9 10 Cybersecurity firm Dragos named the malware Crashoverride 8 In 2022 the Russian hacker group Sandworm initiated a blackout in Ukraine using a variant of Industroyer aptly dubbed Industroyer2 11 Description editThe detailed analysis of Industroyer 12 revealed that the malware was designed to disrupt the working processes of industrial control systems specifically those used in electrical substations Industroyer is modular malware its main components are the following A main backdoor is used to control all other components of the malware It connects to its remote Command amp Control servers in order to receive commands from the attackers An additional backdoor provides an alternative persistence mechanism that allows the attackers to regain access to a targeted network in case the main backdoor is detected and or disabled A launcher component is a separate executable responsible for launching the payload components and the data wiper component The launcher component contains a specific activation time and date analyzed samples contained two dates December 17 2016 and December 20 2016 Note the former date was the date the attack actually went ahead Four payload components target particular industrial communication protocols specified in the following standards IEC 60870 5 101 IEC 60870 5 104 IEC 61850 and OLE for Process Control Data Access OPC Data Access The functionalities of the payload components include mapping the network and then issuing commands to the specific industrial control devices A data wiper component is designed to erase system crucial Registry keys and overwrite files to make the system unbootable and recovery from the attack harder See also editControl system security Cyberwarfare Ukraine power grid hack Pipedream toolkit References edit Spanish Video CCN CERT STICS Conference 2017 Video Youtube YouTube a href Template Cite web html title Template Cite web cite web a CS1 maint numeric names authors list link NPC Ukrenergo official statement Facebook 18 December 2016 Pavel Polityuk Oleg Vukmanovic and Stephen Jewkes 18 January 2017 Ukraine s power outage was a cyber attack Ukrenergo Reuters Cherepanov Anton 17 June 2017 Industroyer Biggest threat to industrial control systems since Stuxnet www welivesecurity com ESET Zetter Kim 17 January 2017 The Ukrainian Power Grid Was Hacked Again Motherboard Crash Override The Malware That Took Down a Power Grid WIRED Retrieved 22 January 2018 Ongoing Sophisticated Malware Campaign Compromising ICS Update E ICS CERT ics cert us cert gov Retrieved 22 January 2018 a b Dragos Inc 12 June 2017 CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations PDF Dragos Industroyer main backdoor detections Virustotal 27 June 2017 Industroyer data wiper component detections Virustotal 27 June 2017 Greenberg Andy Russia s Sandworm Hackers Attempted a Third Blackout in Ukraine Wired ISSN 1059 1028 Retrieved 13 April 2022 Cherepanov Anton 12 June 2017 WIN32 INDUSTROYER A new threat for industrial control systems PDF www welivesecurity com ESET Further reading editENISA Protecting Industrial Control Systems Recommendations for Europe and Member States 14 December 2011 U S DEPARTMENT OF HOMELAND SECURITY Recommended Practice Developing an Industrial Control Systems Cybersecurity Incident Response Capability PDF 1 October 2009 Andy Greenberg 20 June 2017 How an Entire Nation Became Russia s Test Lab For Cyberwar Wired Michael McFail Jordan Hanna Daniel Rebori Carretero December 2021 Detection Engineering in Industrial Control Systems Ukraine 2016 Attack Sandworm Team and Industroyer Case Study mitre org MITRE Retrieved from https en wikipedia org w index php title Industroyer amp oldid 1209150300, wikipedia, wiki, book, books, library,
