Home/Threat Actor/Industroyer / CrashOverride / Industroyer2
Threat Actor

Industroyer / CrashOverride / Industroyer2

industroyer · russia_apt_sandworm · active since 2016-12

Industroyer / CrashOverride / Industroyer2 (canonical ESET naming Industroyer per June 12, 2017 WeLiveSecurity canonical disclosure by Anton Cherepanov + Robert Lipovsky titled "Industroyer: Biggest threat to industrial control systems since Stuxnet".

canonical Dragos parallel naming CrashOverride per June 13, 2017 Dragos disclosure by Robert M. Lee with ELECTRUM threat actor naming directly linked to Sandworm.

cluster- defining successor variant Industroyer2 per ESET April 12, 2022 canonical disclosure by Anton Cherepanov in collaboration with CERT-UA) is an ICS-specific malware platform attributed to Sandworm Team (Russian GRU Unit 74455, also Mandiant APT44 / Microsoft Seashell Blizzard / Secureworks Iron Viking / CrowdStrike Voodoo Bear / Dragos ELECTRUM, curated separately in this corpus as sandworm_team parent operator cluster)

operationally significant as the first publicly-known cyber weapon causing electric power outage via direct ICS protocol manipulation in the December 17, 2016 Ukraine Kyiv Pivnichna Ukrenergo substation attack that cut a fifth of the capital off power for one hour (4th ICS-specific malware in publicly-tracked chronology after Stuxnet + BlackEnergy + Havex)

cluster-defining 4-protocol ICS payload capability (IEC 60870-5-101 + IEC 60870-5-104 + IEC 61850 + OPC DA, native use of legitimate industrial communication standards rather than exploits per Grokipedia analysis "one of the most advanced threats to critical infrastructure since Stuxnet"); modular framework architecture (main backdoor + additional backdoor for alternative persistence + launcher + data wiper + 4 protocol payloads)

signature Siemens SIPROTEC relay denial-of-service module + Tor hidden services C2 with scheduled time-windowed activity + TCP 3128 hardcoded internal proxy connection; Joe Slowik (Dragos) August 2019 reassessment "CRASHOVERRIDE , Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack" elevated threat profile from temporary outage to potential physical equipment damage via protection relay manipulation.

ESET October 2018 established TeleBots - Industroyer - NotPetya direct codebase link consolidating Sandworm attribution for signature campaigns.

US Department of Justice October 15, 2020 indictment of 6 GRU Unit 74455 officers including for Ukraine power grid attacks established formal US government attribution; Industroyer2 April 8, 2022 Ukraine repeat attack (single Windows executable 108_100.exe with PE timestamp March 23, 2022 indicating 2+ weeks attack planning, executed via scheduled task at 16:10:00 UTC against Ukrainian national energy provider high-voltage electrical substations) streamlined to IEC-104 protocol only with detailed hardcoded configuration + deployed alongside CaddyWiper destructive wiper + multi-OS disk wipers (Windows + Linux + Solaris), per Claroty "first known attempt to combine cyber and kinetic tactics during a time of war" coordinated with Russia's February 24, 2022 invasion of Ukraine.

Industroyer2 built using same source code as original Industroyer per ESET high-confidence assessment.

attack foiled by Ukrainian energy provider + CERT-UA + ESET collaboration preventing power outage.

canonical industry baseline reference for "first publicly-known cyber weapon causing electric power outage via direct ICS protocol manipulation" cited in essentially all subsequent ICS-targeting malware industry analyses through 2017- 2026 period.

cluster represents Sandworm's signature ICS-specific malware platform capability complementing the broader sandworm_team parent operator cluster with platform-specific operational details.

russia_apt_sandworm confidence: high 17 aliases MITRE ATT&CK G0034 ↗
Sigma rules200 YARA rules6 Live IOCs0 CVEs exploited0

Profile

Industroyer / CrashOverride / Industroyer2 (canonical ESET naming Industroyer per June 12, 2017 WeLiveSecurity canonical disclosure by Anton Cherepanov + Robert Lipovsky.

canonical Dragos parallel naming CrashOverride per June 13, 2017 Dragos disclosure by Robert M. Lee with ELECTRUM threat actor naming.

cluster-defining successor variant Industroyer2 per ESET April 12, 2022 canonical disclosure) is an ICS-specific malware platform attributed to Sandworm Team (Russian GRU Unit 74455, also Mandiant APT44 / Microsoft Seashell Blizzard / Secureworks Iron Viking / CrowdStrike Voodoo Bear / Dragos ELECTRUM / curated separately in this corpus as sandworm_team parent operator cluster). First publicly-known cyber weapon causing electric power outage via direct ICS protocol manipulation: December 17, 2016 Ukraine Kyiv Pivnichna substation attack cut a fifth of the capital off power for one hour. Per ESET June 2017 disclosure title: "Biggest threat to industrial control systems since Stuxnet." 4th ICS-specific malware in publicly-tracked chronology after Stuxnet (Iran 2009-2010) + BlackEnergy (Ukraine 2015) + Havex (energy sector 2013-2014) per Security Affairs. Operational phases: (1) PREDECESSOR UKRAINE BLACKENERGY ATTACK (December 23, 2015). First publicly-known cyber attack causing electric power outage. (2) INDUSTROYER KYIV PIVNICHNA SUBSTATION ATTACK (December 17, 2016). Second cyberattack on Ukraine's power grid in two years. (3) ESET CANONICAL DISCLOSURE (June 12, 2017). (4) DRAGOS CANONICAL CRASHOVERRIDE DISCLOSURE (June 13, 2017). Coordinated with ESET + ELECTRUM threat actor naming.

(5) TELEBOTS
  • INDUSTROYER.
  • NOTPETYA CODEBASE LINK (October 2018). ESET established direct codebase link. (6) JOE SLOWIK PROTECTION-FOCUSED REASSESSMENT (August 2019). Reframed analysis to protection relay manipulation for physical equipment damage potential. (7) US DOJ INDICTMENT (October 2020). 6 GRU Unit 74455 officers indicted. (8) INDUSTROYER2 UKRAINE REPEAT ATTACK (April 8, 2022). First known attempt to combine cyber + kinetic tactics during wartime.
Signature operational tradecraft
  • 4-protocol ICS payload capability (cluster- defining): IEC 60870-5-101 + IEC 60870-5-104 + IEC 61850 + OPC DA, native use of legitimate industrial communication standards rather than exploits.
  • Modular framework architecture: main backdoor + additional backdoor (alternative persistence) + launcher + data wiper + 4 protocol payloads + Siemens SIPROTEC DoS module.
  • Siemens SIPROTEC relay DoS module: signature protection relay denial-of-service capability.
  • Tor hidden services C2: signature C2 infrastructure with scheduled time-windowed activity per attackics.
  • TCP 3128 internal proxy connection: signature hardcoded internal proxy connection mechanism.
  • Data wiper module: signature forensic-trace removal.
  • Industroyer2 streamlined IEC-104 capability (signature 2022 evolution): single Windows executable vs. modular framework; only IEC-104 protocol; hardcoded configuration.
  • CaddyWiper companion destructive wiper (signature 2022): Industroyer2 deployed alongside CaddyWiper + multi-OS disk wipers for Windows + Linux + Solaris.
  • First known cyber-kinetic coordinated wartime attack (signature 2022): Industroyer2 coordinated with Russia's February 24, 2022 invasion of Ukraine.
  • TeleBots.
  • Industroyer.
  • NotPetya codebase coherence (signature): ESET October 2018 established shared backdoor codebase across Sandworm signature campaigns. The cluster represents Sandworm's signature ICS- specific malware platform capability, operationally complementing the broader sandworm_team parent operator cluster with platform-specific operational details.

Aliases

17
industroyercrashoverridecrash overrideindustroyer_malwareindustroyer_frameworkcrashoverride_malwarewin32.industroyerindustroyer2industroyer_2108_100.exeelectrumelectrum threat groupindustroyer ukraine power grid 2016industroyer2 ukraine power grid 2022first electric grid blackout cyber weaponiec 60870-5-104 ics malwarebiggest threat ics since stuxnet

MITRE ATT&CK aliases

10
Additional names MITRE lists for G0034.
Sandworm TeamTelebotsIRON VIKINGBlackEnergy (Group)QuedaghVoodoo BearIRIDIUMSeashell BlizzardFROZENBARENTSAPT44

Notable Campaigns

10
2022Industroyer2 Ukraine Repeat Attack (April 8, 2022)
2022ESET Industroyer2 Canonical Disclosure (April 12, 2022)
2020US DOJ Indictment of Six GRU Unit 74455 Officers (October 2020)
2019Joe Slowik Protection-Focused Attack Reassessment (August 2019)
2018TeleBots - Industroyer - NotPetya Codebase Link (October 2018)
2017-2026Continued Industry Reference Status (2017-2026)
2017ESET Canonical Industroyer Disclosure (June 12, 2017)
2017Dragos Canonical CRASHOVERRIDE Disclosure (June 13, 2017)
2016Industroyer Kyiv Pivnichna Substation Attack (December 17, 2016)
2015Predecessor: Ukraine Power Grid BlackEnergy Attack (December 23, 2015)

Attribution & Reporting

Key reporting
reportESET WeLiveSecurity (Anton Cherepanov + Robert Lipovsky): Win32/Industroyer, Biggest threat to industrial control systems since Stuxnet (June 12, 2017), canonical Industroyer disclosure
reportDragos (Robert M. Lee): CRASHOVERRIDE, Analysis of the Threat to Electric Grid Operations (June 13, 2017), canonical parallel disclosure + ELECTRUM threat group naming
reportAndy Greenberg (WIRED): 'Crash Override': The Malware That Took Down a Power Grid (June 12, 2017), canonical journalism
reportESET (Anton Cherepanov + Robert Lipovsky): New TeleBots backdoor, First evidence linking Industroyer to NotPetya (October 11, 2018)
reportJoe Slowik (Dragos): Anatomy of an Attack, Detecting and Defeating CRASHOVERRIDE (October 12, 2018)
reportJoe Slowik (Dragos): CRASHOVERRIDE, Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack (August 15, 2019)
reportESET (Anton Cherepanov): Industroyer2, Industroyer reloaded (April 12, 2022), canonical Industroyer2 disclosure
reportCERT-UA Ukrainian Computer Emergency Response Team: Industroyer2 incident response collaboration April 2022
reportClaroty Team82: Industroyer2 Variant Surfaces in Foiled Attack Against Ukraine Electricity Provider (April 12, 2022)
reportSCYTHE: Threat Emulation, Industroyer2 Operation (May 2022)
reportAndy Greenberg: Sandworm, A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers (2019 book), canonical Sandworm chronicle including Industroyer
reportMandiant / Google Threat Intelligence Group (Roncone et al): APT44, Unearthing Sandworm, canonical Sandworm = APT44 naming
reportMicrosoft Threat Intelligence Center: Seashell Blizzard canonical tracking
reportSecureworks: IRON VIKING Threat Profile (May 2020)
reportCrowdStrike: Voodoo Bear canonical tracking
reportUS Department of Justice (Scott W. Brady): October 15, 2020 indictment of 6 GRU Unit 74455 officers
reportMITRE ATT&CK Software S0604: Industroyer
reportMalpedia Software Profile: Industroyer

Operational

State sponsor

Russian state-sponsored APT, specifically Sandworm team (GRU Unit 74455, also tracked as APT44 / Voodoo Bear / Iron Viking / Telebots / ELECTRUM by Dragos), curated separately in this corpus as sandworm_team parent operator cluster. Industroyer represents Sandworm's signature ICS-specific malware platform capability, operationally significant for cluster- cell coherence with broader Sandworm operational pattern against Ukrainian critical infrastructure. Attribution chain: (1) ESET canonical June 12, 2017 disclosure: Slovak cybersecurity company ESET (Anton Cherepanov + Robert Lipovsky) published canonical "Win32/Industroyer: A new threat for industrial control systems" technical analysis.

ESET title: "Industroyer: Biggest threat to industrial control systems since Stuxnet." (2) Dragos parallel June 13, 2017 disclosure: ICS security firm Dragos (Robert M. Lee) published "CRASHOVERRIDE: Analysis of the Threat to Electric Grid Operations" coordinated with ESET, named the malware CrashOverride and the threat actor ELECTRUM. Per Dragos: "ELECTRUM APT group is directly linked to the Sandworm APT group." Operationally established cluster-cell coherence with Sandworm parent operator.

(3) ESET TeleBots
  • Industroyer.
  • NotPetya linking (October 2018): per Anton Cherepanov + Robert Lipovsky "New TeleBots backdoor: First evidence linking Industroyer to NotPetya", operationally established direct codebase connection between Industroyer + Sandworm's NotPetya destructive campaign June 2017. (4) MITRE ATT&CK Software S0604: Industroyer canonical MITRE ATT&CK Software entry attributed to Sandworm Team (G0034) operational pattern. (5) Mandiant APT44 canonical Sandworm tracking (2024+): per Roncone et al "APT44: Unearthing Sandworm", Mandiant elevated Sandworm to APT44 named- cluster designation including Industroyer as signature capability. (6) US Department of Justice indictment 2020: 6 Russian GRU Unit 74455 officers indicted including for Ukraine power grid attacks (NotPetya + Industroyer operations + Olympics destruction). Indictment operationally established US government formal attribution. Operational target profile: December 17, 2016 Ukraine Kyiv Pivnichna substation attack: Industroyer used in cyberattack on Ukraine's power grid that cut a fifth of Kyiv (capital) off power for one hour. Per Wikipedia: "The Kyiv incident was the second cyberattack on Ukraine's power grid in two years" (preceding December 23, 2015 BlackEnergy- attributed attack against 3 Ukrainian regional power distribution companies). Per Dragos Robert M. Lee: "The CRASHOVERRIDE malware impacted a single transmission level substation in Ukraine on December 17th, 2016. Many elements of the attack appear to have been more of a proof of concept than what was fully capable in the malware." Operationally considered a large-scale test of the platform's capabilities. April 8, 2022 Ukraine Industroyer2 deployment: per ESET (Anton Cherepanov) + CERT-UA collaboration: high- voltage electrical substations managed by Ukrainian national energy provider targeted with Industroyer2 single Windows executable (108_100.exe) executed via scheduled task at 2022-04-08 16:10:00 UTC. PE timestamp March 23, 2022 suggesting attackers planned attack for 2+ weeks. Industroyer2 capability streamlined to IEC-104 protocol only (vs. 4-protocol original Industroyer) + deployed alongside CaddyWiper destructive wiper malware (also used against Ukrainian bank earlier 2022). Per Claroty + SCYTHE: "first known attempt to combine cyber and kinetic tactics during a time of war", operationally coordinated with Russia's invasion of Ukraine that began February 24, 2022. The cluster represents the first publicly-known cyber weapon causing electric power outage via direct ICS protocol manipulation, operationally significant as the 4th ICS-specific malware in publicly-tracked chronology after Stuxnet (Iran 2009-2010) + BlackEnergy (Ukraine 2015) + Havex (energy sector 2013-2014).
Motivations
first_publicly_known_cyber_weapon_electric_grid_blackout_via_ics_protocol_manipulation, ukraine_critical_infrastructure_disruption_during_russia_ukraine_conflict, native_ics_protocol_capability_demonstration_without_exploits, sandworm_apt44_ics_specific_malware_platform_capability, large_scale_test_of_electric_grid_attack_platform_2016, industroyer2_wartime_cyber_kinetic_coordinated_attack_2022, russian_strategic_objective_ukrainian_energy_sector_disruption
Sectors
electric_utilitieselectrical_substationstransmission_level_substationshigh_voltage_substationspower_distribution_gridcritical_infrastructure_operatorsukrainian_national_energy_providerukrenergoics_scada_industrial_control_systems
Regions
ukraineeastern_europerussian_conflict_adjacent_regionseuropemiddle_east

Techniques Used

60
T0814T0815T0816T0826T0828T0831T0832T0836T0843T0855T0866T0879T1005T1010T1016T1021T1021.002T1021.006T1027T1027.005T1033T1036T1036.005T1039T1053T1053.005T1056T1057T1059T1059.001T1059.003T1068T1070T1070.004T1071T1071.001T1078T1082T1083T1087T1090T1090.001T1090.003T1090.004T1095T1102T1106T1119T1129T1133T1140T1190T1195T1203T1213T1218T1485T1489T1490T1495

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)47/60 · 78%
Analytics (MITRE CAR)23/60 · 38%
Runtime / container (Falco)6/60 · 10%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)14/60 · 23%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

0 mapped
Other tooling / TTPs (curation, not ATT&CK-mapped):
MAIN BACKDOOR INDUSTROYERSANDWORM APT44 TELEBOTS BACKDOOR LINK TO INDUSTROYERSCHEDULED C2 ACTIVE ONLY SPECIFIED TIMESSIEMENS SIPROTEC DOS MODULESIPROTEC RELAY DENIAL OF SERVICE
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin