Industroyer2 (CrashOverride 2).

A 2022 evolution of the Industroyer/CrashOverride electric-grid malware, attributed by ESET to Sandworm and used in an unsuccessful April 2022 attempt to cut power in a Ukrainian regional utility. It belongs to the OT / ICS / IoT category of cybersecurity.

A 2022 evolution of the Industroyer/CrashOverride electric-grid malware, attributed by ESET to Sandworm and used in an unsuccessful April 2022 attempt to cut power in a Ukrainian regional utility.

Industroyer2 is a 2022 ICS malware sample attributed by ESET and CERT-UA to Russia's Sandworm group, used in a 8 April 2022 attempt to disrupt a Ukrainian high-voltage substation. It is a leaner, single-target evolution of the 2016 Industroyer / CrashOverride malware that caused a Kyiv power outage. Industroyer2 implements the IEC 60870-5-104 protocol directly, with the target substation's IEC-104 endpoints and addresses hard-coded into the binary, indicating that the operator had performed long-running reconnaissance and obtained engineering data before deployment. The intended outcome — opening circuit breakers in a coordinated manner to cause a regional blackout — was prevented by Ukrainian defenders and ESET researchers in time. The campaign also delivered destructive wipers (CaddyWiper, Industroyer2-paired ORCSHRED/AWFULSHRED/SOLOSHRED scripts) to make recovery harder. Industroyer2 is the clearest public example of state-sponsored grid-targeted malware actually used in a kinetic conflict.

Defences for Industroyer2 (CrashOverride 2) typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: Industroyer 2, CrashOverride 2.