S0604 Industroyer
Industroyer is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.1 Industroyer was used in the attacks on the Ukrainian power grid in December 2016.2 This is the first publicly known malware specifically designed to target and impact operations in the electric grid.3
Item | Value |
---|---|
ID | S0604 |
Associated Names | CRASHOVERRIDE, Win32/Industroyer |
Type | MALWARE |
Version | 1.1 |
Created | 04 January 2021 |
Last Modified | 20 October 2022 |
Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
Name | Description |
---|---|
CRASHOVERRIDE | 2 |
Win32/Industroyer | 1 |
Techniques Used
Domain | ID | Name | Use |
---|---|---|---|
enterprise | T1071 | Application Layer Protocol | - |
enterprise | T1071.001 | Web Protocols | Industroyer’s main backdoor connected to a remote C2 server using HTTPS.1 |
enterprise | T1554 | Compromise Client Software Binary | Industroyer has used a Trojanized version of the Windows Notepad application for an additional backdoor persistence mechanism.1 |
enterprise | T1543 | Create or Modify System Process | - |
enterprise | T1543.003 | Windows Service | Industroyer can use an arbitrary system service to load at system boot for persistence and replaces the ImagePath registry value of a Windows service with a new backdoor binary.2 |
enterprise | T1485 | Data Destruction | Industroyer’s data wiper module clears registry keys and overwrites both ICS configuration and Windows files.2 |
enterprise | T1140 | Deobfuscate/Decode Files or Information | Industroyer decrypts code to connect to a remote C2 server.1 |
enterprise | T1499 | Endpoint Denial of Service | - |
enterprise | T1499.004 | Application or System Exploitation | Industroyer uses a custom DoS tool that leverages CVE-2015-5374 and targets hardcoded IP addresses of Siemens SIPROTEC devices.1 |
enterprise | T1041 | Exfiltration Over C2 Channel | Industroyer sends information about hardware profiles and previously-received commands back to the C2 server in a POST-request.1 |
enterprise | T1083 | File and Directory Discovery | Industroyer’s data wiper component enumerates specific files on all the Windows drives.1 |
enterprise | T1105 | Ingress Tool Transfer | Industroyer downloads a shellcode payload from a remote C2 server and loads it into memory.1 |
enterprise | T1046 | Network Service Discovery | Industroyer uses a custom port scanner to map out a network.1 |
enterprise | T1027 | Obfuscated Files or Information | Industroyer uses heavily obfuscated code in its Windows Notepad backdoor.1 |
enterprise | T1572 | Protocol Tunneling | Industroyer attempts to perform an HTTP CONNECT via an internal proxy to establish a tunnel.2 |
enterprise | T1090 | Proxy | - |
enterprise | T1090.003 | Multi-hop Proxy | Industroyer used Tor nodes for C2.2 |
enterprise | T1012 | Query Registry | Industroyer has a data wiper component that enumerates keys in the Registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services .1 |
enterprise | T1018 | Remote System Discovery | Industroyer can enumerate remote computers in the compromised network.1 |
enterprise | T1489 | Service Stop | Industroyer’s data wiper module writes zeros into the registry keys in SYSTEM\CurrentControlSet\Services to render a system inoperable.2 |
enterprise | T1082 | System Information Discovery | Industroyer collects the victim machine’s Windows GUID.2 |
enterprise | T1016 | System Network Configuration Discovery | Industroyer’s 61850 payload component enumerates connected network adapters and their corresponding IP addresses.1 |
enterprise | T1078 | Valid Accounts | Industroyer can use supplied user credentials to execute processes and stop services.1 |
ics | T0800 | Activate Firmware Update Mode | The Industroyer SPIROTEC DoS module places the victim device into firmware update mode. This is a legitimate use case under normal circumstances, but in this case is used the adversary to prevent the SPIROTEC from performing its designed protective functions. As a result the normal safeguards are disabled, leaving an unprotected link in the electric transmission. 6 |
ics | T0802 | Automated Collection | Industroyer automatically collects protocol object data to learn about control devices in the environment. 4 |
ics | T0803 | Block Command Message | In Industroyer the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device. 4 |
ics | T0804 | Block Reporting Message | Industroyer uses the first COM port from the configuration file for the communication and the other two COM ports are opened to prevent other processes accessing them. This may block processes or operators from getting reporting messages from a device. 4 |
ics | T0805 | Block Serial COM | In Industroyer the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device. 4 |
ics | T0806 | Brute Force I/O | The Industroyer IEC 104 module has 3 modes available to perform its attack. These modes are range, shift, and sequence. The range mode operates in 2 stages. The first stage of range mode gathers Information Object Addresses (IOA) and sends select and execute packets to switch the state. The second stage of range mode has an infinite loop where it will switch the state of all of the previously discovered IOAs. Shift mode is similar to range mode, but instead of staying within the same range, it will add a shift value to the default range values. 4 |
ics | T0807 | Command-Line Interface | The name of the Industroyer payload DLL is supplied by the attackers via a command line parameter supplied in one of the main backdoors execute a shell command commands. 4 |
ics | T0884 | Connection Proxy | Industroyer attempts to connect with a hardcoded internal proxy on TCP 3128 [default Squid proxy]. If established, the backdoor attempts to reach an external C2 server via the internal proxy. 5 |
ics | T0809 | Data Destruction | Industroyer has a destructive wiper that overwrites all ICS configuration files across the hard drives and all mapped network drives specifically targeting ABB PCM600 configuration files. 5 |
ics | T0813 | Denial of Control | Industroyer is able to block serial COM channels temporarily causing a denial of control. 4 |
ics | T0814 | Denial of Service | The Industroyer SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. Once this vulnerability is successfully exploited, the target device stops responding to any commands until it is rebooted manually. 4 Once the tool is executed it sends specifically crafted packets to port 50,000 of the target IP addresses using UDP. The UDP packet contains the following 18 byte payload: 0x11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E. 4 |
ics | T0815 | Denial of View | Industroyer is able to block serial COM channels temporarily causing a denial of view. 4 |
ics | T0816 | Device Restart/Shutdown | The Industroyer SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. While the vulnerability does not directly cause the restart or shutdown of the device, the device must be restarted manually before it can resume operations. 4 |
ics | T0827 | Loss of Control | Industroyer‘s data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable. 4 |
ics | T0837 | Loss of Protection | Industroyer contained a module which leveraged a vulnerability in the Siemens SIPROTEC relays (CVE-2015-5374) to create a Denial of Service against automated protective relays. 6 |
ics | T0829 | Loss of View | Industroyer‘s data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable. 4 |
ics | T0831 | Manipulation of Control | Industroyer toggles breakers to the open state utilizing unauthorized command messages. 4 |
ics | T0832 | Manipulation of View | Industroyer‘s OPC module can brute force values and will send out a 0x01 status which for the target systems equates to a Primary Variable Out of Limits misdirecting operators from understanding protective relay status. 4 |
ics | T0801 | Monitor Process State | Industroyer‘s OPC and IEC 61850 protocol modules include the ability to send stVal requests to read the status of operational variables. 4 |
ics | T0840 | Network Connection Enumeration | Industroyer contains an IEC 61850 module that enumerates all connected network adapters to determine their TCP/IP subnet masks. 4 |
ics | T0846 | Remote System Discovery | The Industroyer IEC 61850 payload component has the ability to discover relevant devices in the infected host’s network subnet by attempting to connect on port 102.4 |
ics | T0888 | Remote System Information Discovery | The Industroyer IEC 61850 component sends the domain-specific MMSgetNameList request to determine what logical nodes the device supports. It then searches the logical nodes for the CSW value, which indicates the device performs a circuit breaker or switch control function.1 |
ics | T0881 | Service Stop | Industroyer has the capability to stop a service itself, or to login as a user and stop a service as that user. 4 |
ics | T0855 | Unauthorized Command Message | Using its protocol payloads, Industroyer sends unauthorized commands to RTUs to change the state of equipment. 4 |
Groups That Use This Software
ID | Name | References |
---|---|---|
G0034 | Sandworm Team | 321786 |
References
-
Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020. ↩↩↩↩↩↩↩↩↩
-
Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020. ↩↩
-
Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Dragos Inc. 2017, June 13 Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations Retrieved. 2017/09/18 ↩↩
-
Joe Slowik 2019, August 15 CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack Retrieved. 2019/10/22 ↩↩↩
-
Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020. ↩
-
Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. ↩