Industroyer / CrashOverride
What is Industroyer / CrashOverride?
Industroyer / CrashOverrideModular ICS malware used in the 2016 Ukraine power-grid attack and updated as Industroyer2 in 2022, capable of speaking native grid protocols to trip substations.
Industroyer (also called CrashOverride) is a modular ICS malware framework first used in December 2016 against a transmission substation in Kyiv, Ukraine, causing a roughly hour-long power outage. Unlike earlier grid attacks, Industroyer directly implemented IEC 60870-5-101, IEC 60870-5-104, IEC 61850, and OPC DA, plus a Siemens SIPROTEC denial-of-service module, allowing it to send native commands to RTUs, IEDs, and protective relays. ESET, Dragos, and several Western governments have attributed Industroyer to the Russian GRU's Sandworm group. A successor, Industroyer2, was discovered in April 2022 during an attempted attack on a Ukrainian energy provider. The framework remains the clearest demonstration that adversaries can build reusable, protocol-aware ICS tooling.
● Examples
- 01
Sending IEC 60870-5-104 control commands to open circuit breakers in a Ukrainian substation.
- 02
Using a SIPROTEC denial-of-service module to crash protection relays during an attack.
● Frequently asked questions
What is Industroyer / CrashOverride?
Modular ICS malware used in the 2016 Ukraine power-grid attack and updated as Industroyer2 in 2022, capable of speaking native grid protocols to trip substations. It belongs to the OT / ICS / IoT category of cybersecurity.
What does Industroyer / CrashOverride mean?
Modular ICS malware used in the 2016 Ukraine power-grid attack and updated as Industroyer2 in 2022, capable of speaking native grid protocols to trip substations.
How does Industroyer / CrashOverride work?
Industroyer (also called CrashOverride) is a modular ICS malware framework first used in December 2016 against a transmission substation in Kyiv, Ukraine, causing a roughly hour-long power outage. Unlike earlier grid attacks, Industroyer directly implemented IEC 60870-5-101, IEC 60870-5-104, IEC 61850, and OPC DA, plus a Siemens SIPROTEC denial-of-service module, allowing it to send native commands to RTUs, IEDs, and protective relays. ESET, Dragos, and several Western governments have attributed Industroyer to the Russian GRU's Sandworm group. A successor, Industroyer2, was discovered in April 2022 during an attempted attack on a Ukrainian energy provider. The framework remains the clearest demonstration that adversaries can build reusable, protocol-aware ICS tooling.
How do you defend against Industroyer / CrashOverride?
Defences for Industroyer / CrashOverride typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Industroyer / CrashOverride?
Common alternative names include: CrashOverride, Industroyer2.
● Related terms
- ot-iot№ 529
Industrial Control System (ICS)
An umbrella term for systems that automate and supervise industrial processes, including SCADA, DCS, PLCs, RTUs, and safety controllers.
- ot-iot№ 972
SCADA
Supervisory Control and Data Acquisition systems that gather telemetry from remote field devices and let operators monitor and command large industrial processes.
- ot-iot№ 334
DNP3
Distributed Network Protocol 3, an event-driven ICS protocol used in electric utilities, water, and oil & gas to communicate between SCADA masters and remote outstations.
- ot-iot№ 1111
Stuxnet
A highly sophisticated 2010 worm that sabotaged Iran's uranium-enrichment centrifuges by reprogramming Siemens PLCs, widely attributed to the United States and Israel.
- ot-iot№ 1174
TRITON / TRISIS
Malware discovered in 2017 that targeted Schneider Triconex Safety Instrumented Systems at a Saudi petrochemical plant, attributed to a Russia-linked actor.
- ot-iot№ 762
Operational Technology (OT)
Hardware and software that monitor and control physical processes, devices, and infrastructure such as factories, power plants, and utilities.
● See also
- № 966Sandworm Team