(ESET) Industroyer is a particularly dangerous threat, since it is capable of controlling electricity substation switches and circuit breakers directly. To do so, it uses industrial communication protocols used worldwide in power supply infrastructure, transportation control systems, and other critical infrastructure systems (such as water and gas). These switches and circuit breakers are digital equivalents of analogue switches; technically they can be engineered to perform various functions. Thus, the potential impact may range from simply turning off power distribution, cascading failures and more serious damage to equipment. The severity may also vary from one substation to another, as well. Needless to say, disruption of such systems can directly or indirectly affect the functioning of vital services. Industroyer’s dangerousness lies in the fact that it uses protocols in the way they were designed to be used. The problem is that these protocols were designed decades ago, and back then industrial systems were meant to be isolated from the outside world. Thus, their communication protocols were not designed with security in mind. That means that the attackers didn’t need to be looking for protocol vulnerabilities; all they needed was to teach the malware “to speak” those protocols.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
2022-07-26 by Thibault van Geluwe de Berlaere from Mandiant
2022-04-20 by CISA from CISA
2022-04-20 by CISA from CISA
2022-04-12 by Cert-UA from Cert-UA
2022-04-12 by ESET Research from ESET Research
2022-02-24 by Michel Coene from nviso
2022-02-24 by TESORION from Tesorion
2021-02-11 by Joe Slowik from DomainTools
2020-12-21 by Adam Hlavek from IronNet
2020-11-12 by Dragos from Dragos
2020-10-19 by Curtis from Riskint Blog
2020-10-19 by ForeignCommonwealth & Development Office from UK Government
2020-01-31 by Michal Poslušný from Virus Bulletin
2020 by SecureWorks from Secureworks
2020-01 by Joe Slowik from Dragos
2018-10-11 by Anton Cherepanov from ESET Research
2017-10-05 by Anton Cherepanov from Virus Bulletin
2017-07-04 by Various from Wikipedia
2017-06-13 by Dragos from Dragos
2017-06-12 by Anton Cherepanov from ESET Research
2017-06-12 by Anton Cherepanov from ESET Research
Tool: Industroyer
Names: Industroyer, Crash, CrashOverride, CRASHOVERRIDE, Win32/Industroyer
Description: (ESET) Industroyer is a particularly dangerous threat, since it is capable of controlling electricity substation switches and circuit breakers directly. To do so, it uses industrial communication protocols used worldwide in power supply infrastructure, transportation control systems, and other critical infrastructure systems (such as water and gas). These switches and circuit breakers are digital equivalents of analogue switches; technically they can be engineered to perform various functions. Thus, the potential impact may range from simply turning off power distribution, cascading failures and more serious damage to equipment. The severity may also vary from one substation to another, as well. Needless to say, disruption of such systems can directly or indirectly affect the functioning of vital services. Industroyer’s dangerousness lies in the fact that it uses protocols in the way they were designed to be used. The problem is that these protocols were designed decades ago, and back then industrial systems were meant to be isolated from the outside world. Thus, their communication protocols were not designed with security in mind. That means that the attackers didn’t need to be looking for protocol vulnerabilities; all they needed was to teach the malware “to speak” those protocols.
Category: Malware
Type: ICS malware, Backdoor
Information: https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/
Information: https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
Information: https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
Information: https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/
Information: https://en.wikipedia.org/wiki/Industroyer
Mitre-attack: https://attack.mitre.org/software/S0604/
Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer
Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:Industroyer
Last-card-change: 2022-12-30
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1078 VALID ACCOUNTS industroyer can use supplied user credentials to execute processes and stop services. | T1554 COMPROMISE CLIENT SOFTWARE BINARY industroyer has used a trojanized version of the windows notepad application for an additional backdoor persistence mechanism. T1543.003 CREATE OR MODIFY SYSTEM PROCESS : WINDOWS SERVICE industroyer can use an arbitrary system service to load at system boot for persistence and replaces the imagepath registry value of a windows service with a new backdoor binary. T1078 VALID ACCOUNTS industroyer can use supplied user credentials to execute processes and stop services. | T1543.003 CREATE OR MODIFY SYSTEM PROCESS : WINDOWS SERVICE industroyer can use an arbitrary system service to load at system boot for persistence and replaces the imagepath registry value of a windows service with a new backdoor binary. T1078 VALID ACCOUNTS industroyer can use supplied user credentials to execute processes and stop services. | T1140 DEOBFUSCATE/DECODE FILES OR INFORMATION industroyer decrypts code to connect to a remote c2 server. T1027 OBFUSCATED FILES OR INFORMATION industroyer uses heavily obfuscated code in its windows notepad backdoor. T1078 VALID ACCOUNTS industroyer can use supplied user credentials to execute processes and stop services. | T1083 FILE AND DIRECTORY DISCOVERY industroyer’s data wiper component enumerates specific files on all the windows drives. T1012 QUERY REGISTRY industroyer has a data wiper component that enumerates keys in the registry hkey_local_machine\system\currentcontrolset\services. T1016 SYSTEM NETWORK CONFIGURATION DISCOVERY industroyer’s 61850 payload component enumerates connected network adapters and their corresponding ip addresses. | T1071.001 APPLICATION LAYER PROTOCOL : WEB PROTOCOLS industroyer’s main backdoor connected to a remote c2 server using https. T1105 INGRESS TOOL TRANSFER industroyer downloads a shellcode payload from a remote c2 server and loads it into memory. T1572 PROTOCOL TUNNELING industroyer attempts to perform an http connect via an internal proxy to establish a tunnel. | T1041 EXFILTRATION OVER C2 CHANNEL industroyer sends information about hardware profiles and previously-received commands back to the c2 server in a post-request. | T1485 DATA DESTRUCTION industroyer’s data wiper module clears registry keys and overwrites both ics configuration and windows files. T1499.004 ENDPOINT DENIAL OF SERVICE : APPLICATION OR SYSTEM EXPLOITATION industroyer uses a custom dos tool that leverages cve-2015-5374 and targets hardcoded ip addresses of siemens siprotec devices. T1489 SERVICE STOP industroyer’s data wiper module writes zeros into the registry keys in system\currentcontrolset\services to render a system inoperable. |