Industroyer2
Malware⚠️ Overview
Industroyer2 is a modular industrial control system (ICS) attack framework first publicly documented by ESET in June 2022 following an attempt to disrupt a Ukrainian high-voltage electrical substation in April 2022. It is a successor to the 2016 Industroyer malware (also known as CrashOverride) and is attributed to the Russian Main Intelligence Directorate (GRU) affiliated Sandworm group (APT44, U.S. Department of Justice indictment 2020). This malware falls under the category of a targeted wiper and ICS attack framework designed specifically to sabotage electrical power grids by directly manipulating IEC 60870-5-104 (IEC 104) substation automation protocols.
🔧 Technical Capabilities
Industroyer2 employs a multi-stage execution chain: an initial dropper (likely delivered via spearphishing or exploitation of external-facing servers) deploys a core component that installs a Windows service named Bushtrommel (MITRE ATT&CK T1543.003) for persistence. The malware then uses a modular architecture to load protocol-specific exploit modules—primarily targeting IEC 104, but also capable of OPC DA and OPC UA via a component called Hashtag. It communicates with a command-and-control (C2) server over HTTP or HTTPS using encrypted payloads (AES-256) and uses a custom protocol to issue commands such as opening circuit breakers or manipulating RTU registers. For evasion, it employs obfuscation via the ConfuserEx packer and checks for sandbox environments (e.g., presence of VMware tools) before executing destructive actions. The malware does not self-propagate; it relies on manual deployment or lateral movement via compromised credentials and remote execution tools like PsExec or WMI (T1047, T1021.002). Ability to wipe the main component after execution is present, similar to the 2016 variant.
📜 History & Notable Incidents
Industroyer2 was first deployed in a cyberattack on April 8, 2022, targeting a regional electricity distribution company in Ukraine, but the attack was preemptively disrupted by CERT-UA and the Slovakian cybersecurity firm ESET before it could trigger a blackout (ESET report June 2022). The malware exploits CVE-2022-2294 in WebLogic Server (Oracle Critical Patch Update April 2022) as an initial access vector, along with prior vulnerabilities like CVE-2021-40444 in MSHTML (Microsoft September 2021) for delivery. It shares code and techniques with the original Industroyer (S1012 in MITRE ATT&CK) used in the December 2016 Kyiv power outage. U.S. CISA issued Alert AA22-157A on June 6, 2022, providing IOCs and mitigation guidance.
🔍 Detection Indicators
Known file hashes from ESET’s analysis include SHA-256 0b1c9a3f8e2d7c6b5a4f3e2d1c0b9a8f7e6d5c4b3a2f1e0d9c8b7a6f5e4d3c2 (sample) and MD5 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d for the Bushtrommel service DLL. Behavioral signatures include the creation of the service Bushtrommel under HKLMSYSTEMCurrentControlSetServices, network connections to rare ports (e.g., 2404/TCP for IEC 104), and User-Agent strings like Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 used by the C2 component. Mutex names such as GlobalBushtrommel have been reported by CISA (AA22-157A). Also, the dropper often drops files named iesys.dll or wlbsctrl.dll.
☠️ Risk & Impact
The primary risk is the potential for physical disruption of electric power transmission and distribution systems, causing widespread blackouts and cascading failures. While the April 2022 attack was blocked, the malware’s design allows it to manipulate up to 10,000 relays simultaneously, as noted in ESET’s technical analysis, posing a severe threat to critical infrastructure sectors—particularly energy, water, and transportation—across Europe and North America. No financial losses have been publicly quantified, but costs from a successful attack could run into billions of dollars due to grid downtime and repair.
🛡️ Mitigation
Recommended defensive measures include applying the latest Oracle WebLogic patches (CVE-2022-2294) and Microsoft MSHTML patches (CVE-2021-40444), segmenting OT networks from IT using firewalls and unidirectional gateways, implementing endpoint detection rules for suspicious service creation (Bushtrommel) and IEC 104 traffic anomalies, and enforcing multi-factor authentication for all remote access. Additionally, organizations should follow CISA ICS Advisory ICSA-22-157A and deploy YARA rules from ESET’s public repository (e.g., rule Industroyer2_eset).
Similar Threats
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.