S0604: Industroyer
Industroyer is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.[1] Industroyer was used in the attacks on the Ukrainian power grid in December 2016.[2] This is the first publicly known malware specifically designed to target and impact operations in the electric grid.[3]
Analyst context for executives and security teams
Industroyer matters because ATT&CK describes it as malware built to affect Industrial Control Systems, specifically electrical substation components, and links it to the 2016 Ukraine Electric Power Attack. For executives, the decision value is not ordinary endpoint malware coverage; it is whether the organization can detect and respond when Windows-based systems in or near operational technology are used to discover, monitor, manipulate, or disrupt industrial processes.
Executive priority
Treat this as a resilience and cyber-physical risk planning case. Leaders responsible for electric, utility, manufacturing, or other ICS-dependent operations should ask whether incident response plans, SOC escalation paths, engineering procedures, and audit evidence cover loss of view, loss of control, denial of control, device restart/shutdown, service stop, and protective-function degradation scenarios. Budget priority should focus on validated OT visibility, segmentation, response coordination with operations teams, and evidence that Windows assets supporting ICS functions are monitored and recoverable.
Technical view
ATT&CK lists the platform as Windows and provides no official detection text, so teams should validate coverage from the relationship context. Industroyer is associated with ICS techniques including process-state monitoring, automated collection, network and remote-system discovery, port scanning, command-line use, connection proxying, service stop, data destruction, firmware-update-mode abuse, manipulation/loss/denial of control and view, device restart/shutdown, and loss of protection. SOC and IR teams should map detections to Windows hosts that interact with ICS networks, then correlate endpoint activity with industrial network traffic and operator/engineering events rather than relying on IT telemetry alone.
Likely telemetry
- Windows endpoint process execution and command-line logs from ICS-adjacent systems
- Windows service start/stop and system restart/shutdown events
- File creation, deletion, and other evidence relevant to data destruction or cleanup
- Network connection metadata from Windows hosts communicating with ICS devices or substation networks
- ICS network traffic showing discovery, port scanning, protocol use, command activity, or abnormal device communications
Detection direction
- Confirm whether monitoring exists at the boundary between enterprise Windows systems and ICS environments; enterprise-only logging may miss the material behavior.
- Tune for unusual command-line activity, service stops, restarts, proxy-like connections, file destruction, and discovery from Windows hosts with access to control-system networks.
- Correlate IT events with OT symptoms such as unexpected loss of view, denial of control, manipulation of control values, device restarts, or protective-system impairment.
- Baseline normal engineering and maintenance activity to reduce false positives, especially legitimate scans, service restarts, firmware work, and operator-initiated control actions.
- Use the ATT&CK relationship set to build scenario-based detections, not just malware-name detections, because the supplied object has no official detection guidance.
Mitigation priorities
- Prioritize asset inventory and network mapping for Windows systems that can reach ICS devices or substation components.
- Limit and monitor pathways from enterprise networks into ICS networks; enforce least-privilege access for engineering and operator functions.
- Establish OT-aware logging and retention for Windows hosts, network traffic, operator actions, device state changes, and service events.
- Prepare IR playbooks for loss of view/control, device restart/shutdown, service stop, data destruction, and protection-function impairment scenarios.
- Validate recovery procedures with operations teams, including manual operation, device restoration, and evidence preservation for compliance and post-incident review.
Analyst notes and limits
ATT&CK identifies Industroyer as a sophisticated ICS-impact malware framework and links it to the 2016 Ukraine Electric Power Attack and Sandworm Team through relationships. The strongest defensive use is scenario planning across the listed ICS techniques and Windows-host telemetry, especially where business operations depend on reliable substation or control-system behavior.
The supplied ATT&CK object has no official detection text, no listed tactics, and only Windows as a platform. Many defensive conclusions require local architecture, device inventory, ICS protocol visibility, logging maturity, and operational procedures. This take does not assert current exploitation or environment-specific exposure.
Industroyer
Industroyer is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.[1] Industroyer was used in the attacks on the Ukrainian power grid in December 2016.[2] This is the first publicly known malware specifically designed to target and impact operations in the electric grid.[3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1543.003 | Windows Service Sub-technique | Industroyer can use an arbitrary system service to load at system boot for persistence and replaces the ImagePath registry value of a Windows service with a new backdoor binary.CitationDragos Crashoverride 2017 |
| Enterprise | T1485 | Data Destruction | Industroyer’s data wiper module clears registry keys and overwrites both ICS configuration and Windows files.CitationDragos Crashoverride 2017 |
| Enterprise | T1046 | Network Service Discovery | Industroyer uses a custom port scanner to map out a network.CitationESET Industroyer |
| Enterprise | T1078 | Valid Accounts | Industroyer can use supplied user credentials to execute processes and stop services.CitationESET Industroyer |
| Enterprise | T1554 | Compromise Host Software Binary | Industroyer has used a Trojanized version of the Windows Notepad application for an additional backdoor persistence mechanism.CitationESET Industroyer |
| Enterprise | T1105 | Ingress Tool Transfer | Industroyer downloads a shellcode payload from a remote C2 server and loads it into memory.CitationESET Industroyer |
| Enterprise | T1018 | Remote System Discovery | Industroyer can enumerate remote computers in the compromised network.CitationESET Industroyer |
| Enterprise | T1083 | File and Directory Discovery | Industroyer’s data wiper component enumerates specific files on all the Windows drives.CitationESET Industroyer |
| Enterprise | T1572 | Protocol Tunneling | Industroyer attempts to perform an HTTP CONNECT via an internal proxy to establish a tunnel.CitationDragos Crashoverride 2017 |
| Enterprise | T1016 | System Network Configuration Discovery | Industroyer’s 61850 payload component enumerates connected network adapters and their corresponding IP addresses.CitationESET Industroyer |
| Enterprise | T1489 | Service Stop | Industroyer’s data wiper module writes zeros into the registry keys in |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Industroyer sends information about hardware profiles and previously-received commands back to the C2 server in a POST-request.CitationESET Industroyer |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Industroyer’s main backdoor connected to a remote C2 server using HTTPS.CitationESET Industroyer |
| Enterprise | T1090.003 | Multi-hop Proxy Sub-technique | Industroyer used Tor nodes for C2.CitationDragos Crashoverride 2017 |
| Enterprise | T1082 | System Information Discovery | Industroyer collects the victim machine’s Windows GUID.CitationDragos Crashoverride 2017 |
| Enterprise | T1499.004 | Application or System Exploitation Sub-technique | Industroyer uses a custom DoS tool that leverages CVE-2015-5374 and targets hardcoded IP addresses of Siemens SIPROTEC devices.CitationESET Industroyer |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Industroyer decrypts code to connect to a remote C2 server.CitationESET Industroyer |
| Enterprise | T1012 | Query Registry | Industroyer has a data wiper component that enumerates keys in the Registry |
| Enterprise | T1027 | Obfuscated Files or Information | Industroyer uses heavily obfuscated code in its Windows Notepad backdoor.CitationESET Industroyer |
Groups, software, and campaigns
G0034: Sandworm Team
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]
C0025: 2016 Ukraine Electric Power Attack
2016 Ukraine Electric Power Attack was a Sandworm Team campaign during which they used Industroyer malware to target and disrupt distribution substations within the Ukrainian power grid. This campaign was the second major public attack conducted against Ukraine by Sandworm Team.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 30f412bcf692… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET Industroyer
Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.
Open source URL -
[2]
Dragos Crashoverride 2017
Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020.
Open source URL -
[3]
Dragos Crashoverride 2018
Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
Open source URL -
[4]
CRASHOVERRIDE
(Citation: Dragos Crashoverride 2017)
-
[5]
Win32/Industroyer
(Citation: ESET Industroyer)
-
[6]
mitre-attack S0604Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.