Skip to main content
Reference

Industroyer

The 2016 ICS malware that took the Pivnichna substation offline outside Kyiv. Spoke IEC 60870-5-104 and IEC 61850 natively — the substation's own protocol stack as the attack surface. Refined into Industroyer2 in 2022.

Also: CRASHOVERRIDE, Industroyer2, Win32/Industroyer

Industroyer (also called CRASHOVERRIDE) is the malware that hit the Pivnichna substation north of Kyiv on 17 December 2016, taking it offline for approximately one hour. The malware was disclosed by ESET and Dragos in mid-2017, with CISA publishing TA17-163A in June 2017.

It is the first publicly known ICS malware that spoke power-grid protocols natively rather than reaching the PLC indirectly via Windows-side compromise. Where Stuxnet needed a USB stick and a Step 7 engineering station to deliver its payload to the PLC, Industroyer carried protocol modules that talked IEC 60870-5-104, IEC 60870-5-101, IEC 61850 (including GOOSE), and OPC DA directly. The substation’s designed communication surface was the attack surface.

The 2016 attack

The publicly documented effect was about an hour of outage at Pivnichna, a transmission substation feeding Kyiv. The technical novelty was greater than the operational impact:

  • Modular architecture — a backdoor and four protocol modules (IEC 101, IEC 104, IEC 61850, OPC DA) that could be swapped per target environment.
  • Native protocol fluency — the IEC 104 module could enumerate slaves, issue stop/start commands, send open/close to specific information object addresses.
  • Wiper module — designed to overwrite firmware on Siemens SIPROTEC relays via a known but unpatched DoS vulnerability (CVE-2015-5374), bricking the protection devices and lengthening the recovery window. The wiper component appears to have failed to execute as intended in 2016.
  • Time-delayed activation — designed to delay action until a configured time, suggesting the operators wanted the disruption visible at a specific moment.

Industroyer2

In April 2022, a refined Industroyer variant was discovered targeting a specific Ukrainian high-voltage transmission substation. Disclosed by ESET on 12 April 2022 in joint response with CERT-UA. Differences from the 2016 original:

  • Single protocol module (IEC 104 only), hard-coded to specific information object addresses for the target substation. Tighter scope, more bespoke.
  • Caught before execution by the joint CERT-UA / ESET response. The intended outage did not happen.
  • Deployed alongside CaddyWiper and ORCSHRED/SOLOSHRED/AWFULSHRED disk-wipers, indicating an intent to lengthen recovery time after the substation event.

Why it matters for the substation context

Industroyer is the proof point that the corpus’s deployment scenario — DNP3 / IEC 60870-5-104 in plaintext over an MPLS WAN, IEC 61850 station bus inside the substation — is in scope for a competent adversary using publicly demonstrated tooling. The relevant takeaways for a 62443 design:

  • FR3 (System Integrity) on the IEC 104 / DNP3 conduit between RTU and SCADA is not a theoretical control. Industroyer issued malformed-but-valid open commands to specific IOAs. Without DNP3 SA (IEC 62351-5) or TLS (IEC 62351-3), the commands are forgeable by anyone on the conduit.
  • GOOSE forge-resistance (IEC 62351-6) is not a paper requirement. Industroyer’s IEC 61850 module emitted GOOSE; whether 62351-6 HMAC was deployed determines whether the IEDs would have accepted it.
  • Wiper modules targeting protection-relay firmware mean that the recovery time from a compromise can be hours-to-days of physical site visits, not minutes of restart. The CVE-2015-5374 path used in 2016 is patched, but the pattern (use a known firmware bug to brick the device, lengthen the recovery window) generalises.

Place in the broader threat arc

YearEvent
2010Stuxnet disclosed — bespoke campaign against centrifuge controllers
2015BlackEnergy / KillDisk attack on Ukrainian distribution; manual operator-station hijack
2016Industroyer / CRASHOVERRIDE — first malware speaking ICS protocols natively
2022Industroyer2 — refined for one target substation, caught pre-execution
2022CHERNOVITE PIPEDREAM toolkit (CISA AA22-103A) — multi-vendor, pre-deployment ICS tooling

The trajectory from 2010 to 2022 is from one-off campaign to pre-staged toolkit. The substation-and-control-centre context the corpus describes operates in the post-2022 environment whether the architecture acknowledges it or not.