Skip to content

S1072 Industroyer2

Industroyer2 is a compiled and static piece of malware that has the ability to communicate over the IEC-104 protocol. It is similar to the IEC-104 module found in Industroyer. Security researchers assess that Industroyer2 was designed to cause impact to high-voltage electrical substations. The initial Industroyer2 sample was compiled on 03/23/2022 and scheduled to execute on 04/08/2022, however it was discovered before deploying, resulting in no impact.1

Item Value
ID S1072
Associated Names
Type MALWARE
Version 1.0
Created 30 March 2023
Last Modified 06 April 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1057 Process Discovery Industroyer2 has the ability to cyclically enumerate running processes such as PServiceControl.exe, PService_PDD.exe, and other targets supplied through a hardcoded configuration.2
ics T0802 Automated Collection Industroyer2 leverages a hardcoded list of remote-station IP addresses to iteratively initiate communications and collect information across multiple priority IEC-104 priority levels.4
ics T0806 Brute Force I/O Industroyer2 can iterate across a device’s IOAs to modify the ON/OFF value of a given IO state.24
ics T0836 Modify Parameter Industroyer2 modifies specified Information Object Addresses (IOAs) for specified Application Service Data Unit (ASDU) addresses to either the ON or OFF state.24
ics T0801 Monitor Process State Industroyer2 uses a General Interrogation command to monitor the device’s Information Object Addresses (IOAs) and their IO state values.4
ics T0888 Remote System Information Discovery Industroyer2 has the capability to poll a target device about its connection status, data transfer status, Common Address (CA), Information Object Addresses (IOAs), and IO state values across multiple priority levels.43
ics T0881 Service Stop Industroyer2 has the capability to terminate specified processes (i.e., PServiceControl.exe and PService_PDD.exe) and rename each process to prevent restart. These are defined through a hardcoded configuration.2
ics T0855 Unauthorized Command Message Industroyer2 is capable of sending command messages from the compromised device to target remote stations to open data channels, retrieve the location and values of Information Object Addresses (IOAs), and modify the IO state values through Select Before Operate I/O, Select/Execute, and Invert Default State operations.24

Groups That Use This Software

ID Name References
G0034 Sandworm Team 3

References