Massimiliano Brolli : 3 August 2025 11:14
The Industroyer malware, also known as Crashoverride, was a framework developed by Russian hackers, deployed in 2016 against Ukraine’s power grid. The attack left Kiev without power for an hour.
The malware was considered an evolution of previous strains such as Havex and BlackEnergy, which had previously been used against power grids. However, unlike Havex and BlackEnergy (which were more similar to generic Windows malware deployed against systems running industrial systems), Industroyer contained components specifically designed to interact with Siemens power grid equipment.
Six months after a hacking attack that caused a blackout in Kiev, Ukraine, security researchers warned that the malware used in the attack would be “easy” to convert into attacks on other power grids around the world.
The discovery of the malware, dubbed “Industroyer,” or “Crash Override,” highlights the vulnerability of critical infrastructure, just months after the WannaCry ransomware claimed victims across the globe.
Industroyer, analyzed by researchers from Slovakian firm ESET and US-based Dragos, is only the second known case of a virus specifically designed and released to disrupt industrial control systems. The first known was Stuxnet, a worm that sabotaged Iran’s nuclear program, believed to have been built in collaboration between the United States and Israel, although there are no official sources.
Six months after a hacking attack that caused a blackout in Kiev, Ukraine, security researchers warned that the malware used in the attack would be “easy” to convert into crippling infrastructure in other countries.
The discovery of the malware, nicknamed “Industroyer” and “Crash Override” highlights the vulnerability of critical infrastructure, just months after the WannaCry ransomware wiped out NHS computers across the UK.
Industroyer, analyzed by researchers from Slovakian firm ESET and US-based Dragos, is only the second known case of a virus specifically constructed and released to disrupt industrial control systems. The first was Stuxnet, a worm that sabotaged Iran’s nuclear program, which was thought to have been built by the United States and Israel.
The virus attacks electrical substations and circuit breakers using standardized industrial communication protocols across a range of critical infrastructure types, from power, water, and gas to transportation control.
These control protocols date back decades, long before security practices like encryption and authentication were standardized. Their unique feature is that they can also be active on networks that are not directly connected to the Internet (airgapped networks).
The Industroyer malware was used in a massive cyberattack in Ukraine on December 17, 2016; the timed attack targeted electricity distribution substations in Kyiv and hijacked circuit breakers in ICS to cut off electricity, leading to massive blackouts that lasted for many hours. “With this, it joined an elite club of only three malware families known to be used in ICS attacks,” namely BlackEnergy, Stuxnet, and Havex.
The incident should not be confused with another cyberattack that targeted Ukraine in December 2015, which also knocked out power to large areas of western Ukraine. These incidents were caused by another ICS malware called BlackEnergy.
But what Industroyer managed to convey, especially compared to the widespread blackouts caused by another cyberattack a year earlier, is that all of this could happen automatically.
Previous attacks, though more damaging, required human control to generate the expected outages. In contrast, Industroyer caused all of this automatically, causing a major capital city to go into an hour-long blackout. This led some to wonder whether the Kiev attack was more of a test to see if the malware would work in practice, or something similar. But regardless, says Anton Cherepanov, senior malware researcher at ESET:
“it should serve as a wake-up call to those responsible for the security of critical systems around the world.”
In addition to its attack capabilities, Industroyer also has the ability to damage the controlling PC itself, rendering it unbootable and thus potentially prolonging the outage.
The U.S. Department of Homeland Security said it was investigating the malware, although it found no evidence to suggest it had infected critical US infrastructure. No specific attribution has been confirmed for the Kiev attack, but the Ukrainian government has blamed Russia, as it did for the 2015 attacks. Moscow officials have repeatedly denied responsibility.
Industroyer is a sophisticated, modular malware that includes several components such as a backdoor, a launcher, a data wiper, at least four payloads, and many other tools. The experts focused their analysis on payloads (IEC 60870-5-101 (aka IEC 101), IEC 60870-5-104 (aka IEC 104), IEC 61850, OLE for Process Control Data Access (OPC DA)), the main malware components in attacks that allow control of electrical switches.
The Industroyer backdoor allows attackers to execute various commands on the system, while the C&C server is hidden in the Tor network and can be programmed to be active only at certain times, making it difficult to detect. The backdoor installs the launcher component, which launches the wiper and payloads, and also releases a second backdoor disguised as a Trojanized version of the Windows Notepad application.
The wiper component is used in the final stage of the attack to hide traces and make it difficult to restore the targeted systems. The payloads allow the malware to control switches and implement industrial communication protocols. ESET researchers believe the malware developers had deep knowledge of power grid operations and industrial network communications to design malware of this caliber.
“In addition to all this, the malware authors also wrote a tool that implements a denial-of-service (DoS) attack against a particular family of protection relays, specifically the Siemens SIPROTEC range.”
ESET said.
“The capabilities of this malware are significant. Compared to the toolset used by threat actors in the 2015 attacks against the Ukrainian power grid that culminated in a blackout on December 23, 2015 (BlackEnergy, KillDisk, and other components, including legitimate remote access software), the The gang behind Industroyer is more advanced, as they’ve gone to great lengths to create malware that can directly control switches and circuit breakers.
Both ESET and Dragos have collected evidence suggesting that Industroyer was involved in the 2016 power outages in the Kiev region, attributed to Russian state-sponsored hackers.
Industroyer is highly customizable malware. While universal in that it can be used to attack any industrial control system using some of the targeted communication protocols, some of the components in the analyzed samples were designed to target specific hardware.
Researchers at Dragos, a company specializing in industrial control systems (ICS) security, believe that the Electrum APT group is directly related to the Sandworm APT group. ESET highlighted that although there are no code similarities between the malware used in the 2015 and 2016 attacks in Ukraine, some components are conceptualized.
Electrum APT is still an active group, although evidence suggests suggest that the group is no longer exclusively focused on Ukraine. The group’s ongoing activity and connection to the SANDWORM team indicate that ELECTRUM could also cause damage in other geographic areas. Dragos considers ELECTRUM one of the most competent and sophisticated threat groups currently operating in the ICS sector.
Sources
https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet
https://www.redhotcyber.com/wp-content/uploads/attachments/CrashOverride-01.pdf
Massimiliano Brolli