S1072: Industroyer2
Industroyer2 is a compiled and static piece of malware that has the ability to communicate over the IEC-104 protocol. It is similar to the IEC-104 module found in Industroyer. Security researchers assess that Industroyer2 was designed to cause impact to high-voltage electrical substations. The initial Industroyer2 sample was compiled on 03/23/2022 and scheduled to execute on 04/08/2022, however it was discovered before deploying, resulting in no impact.[1]
Analyst context for executives and security teams
Industroyer2 matters because it represents malware purpose-built for industrial control environments, specifically with IEC-104 communications and assessed design intent against high-voltage electrical substations. For leaders, the key issue is not generic malware cleanup; it is whether the organization can see, validate, and contain control-protocol activity that could affect physical operations. MITRE notes the initial sample was discovered before deployment and caused no impact.
Executive priority
Prioritize this as an operational resilience and cyber-physical risk scenario for electric utility and ICS-dependent environments. Executives should ask whether engineering workstations and field controller/RTU/PLC/IED communications are monitored, whether incident response can coordinate safely with operations teams, and whether compliance evidence demonstrates visibility into IEC-104 and unauthorized control actions. Budget decisions should favor validated ICS network telemetry, asset/process baselining, and response playbooks over purely enterprise endpoint coverage.
Technical view
SOC, detection engineering, and IR teams should validate coverage around the supplied platforms: engineering workstations and field controller/RTU/PLC/IED environments. The official object has no detection text, so defenders should derive validation from the malware description and relationships: IEC-104 communication, process and remote system discovery, automated industrial information collection, monitoring process state, service stop behavior, parameter modification, brute force I/O, and unauthorized command messages. Detection logic should distinguish approved operator/automation traffic from unusual source systems, timing, command patterns, repeated point changes, and unexpected service interruptions.
Likely telemetry
- ICS network traffic, especially IEC-104 communications between engineering workstations and field devices
- Engineering workstation process execution and process discovery evidence
- Remote system and device discovery logs where available
- Control command/message records or protocol metadata from ICS monitoring tools
- Process state, historian, OPC/tag, or comparable operational data sources where present
Detection direction
- Confirm whether IEC-104 traffic is decoded, retained, and baselined; simple flow logs may be insufficient for command-level review.
- Baseline authorized engineering workstation-to-field device relationships and alert on unexpected sources, destinations, schedules, or command types.
- Tune for repeated or successive I/O point changes and parameter modifications while accounting for legitimate maintenance, testing, and operations activity.
- Correlate process discovery or remote system discovery on engineering workstations with subsequent ICS protocol activity.
- Monitor service stop events in the context of incident response inhibition or preparation for destructive activity, but validate against planned maintenance.
Mitigation priorities
- Maintain an accurate inventory of engineering workstations and field control assets, including normal IEC-104 communication paths.
- Segment and tightly control which systems can communicate with field devices using industrial protocols.
- Limit and review privileges for engineering workstation functions capable of sending commands or changing parameters.
- Build joint SOC/OT operations response procedures for suspected unauthorized command messages or unsafe process-state changes.
- Retain ICS protocol and operational telemetry long enough to support incident reconstruction and compliance evidence.
Analyst notes and limits
ATT&CK identifies Industroyer2 as compiled/static malware able to communicate over IEC-104, similar to the IEC-104 module in Industroyer, and assessed by researchers as designed to cause impact to high-voltage electrical substations. The object is linked to Sandworm Team and to ICS techniques involving collection, discovery, service stopping, parameter/I/O manipulation, and command messages. The supplied record states the initial sample was discovered before deployment, resulting in no impact.
The official ATT&CK object provides no detection guidance, no aliases, and no explicit tactic list. Local engineering diagrams, protocol baselines, asset inventory, and OT change records are required to determine whether observed behavior is suspicious. This take does not assert active exploitation or customer exposure.
Industroyer2
Industroyer2 is a compiled and static piece of malware that has the ability to communicate over the IEC-104 protocol. It is similar to the IEC-104 module found in Industroyer. Security researchers assess that Industroyer2 was designed to cause impact to high-voltage electrical substations. The initial Industroyer2 sample was compiled on 03/23/2022 and scheduled to execute on 04/08/2022, however it was discovered before deploying, resulting in no impact.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1057 | Process Discovery | Industroyer2 has the ability to cyclically enumerate running processes such as PServiceControl.exe, PService_PDD.exe, and other targets supplied through a hardcoded configuration.CitationIndustroyer2 Mandiant April 2022 |
Groups, software, and campaigns
G0034: Sandworm Team
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e0ebc6c5d12d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Industroyer2 Blackhat ESET
Anton Cherepanov, Robert Lipovsky. (2022, August). Industroyer2: Sandworm's Cyberwarfare Targets Ukraine's Power Grid. Retrieved April 6, 2023.
Open source URL -
[2]
mitre-attack S1072Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.