Industroyer2
Industroyer2 is an ICS/OT malware variant used by Sandworm, identified as GRU Unit 74455, against Ukraine’s electric sector in 2022. It is described as a modified and more targeted successor to Industroyer/Crash Override, designed to work directly with IEC 104 in electrical substations and to interact directly with utility equipment by sending commands to substation devices, including circuit breakers and protective relays, in order to disrupt the flow of power and trigger blackouts. Unlike the original Industroyer, which relied on an external .ini file for customization, Industroyer2 embeds network-specific parameters such as IP addresses, ports, IEC-104 details, and Information Object Addresses, indicating target-specific configuration.
CERT-UA and ESET reported that Sandworm targeted high-voltage electrical substations in Ukraine with Industroyer2 in early April 2022 in an apparent attempt to cause widespread power outages or a third blackout in Ukraine. The intrusion reportedly began in February 2022 or earlier, with the malware planted in systems of a regional Ukrainian energy company and later attempted for deployment in April 2022. Ukrainian defenders detected the attack in progress and mitigated it before a major blackout occurred. Some reporting referenced temporary outages at nine substations in an earlier advisory. The affected utility was not publicly named, but the served area reportedly included more than 2 million people.
The operation also involved destructive malware deployed alongside Industroyer2, including Windows, Linux, and Solaris wipers, as well as CaddyWiper. Broader reporting on Russian operations against Ukraine in 2022 also lists Industroyer2 among destructive malware families used in attacks on Ukrainian targets. ESET assessed with high confidence that Industroyer2 was developed by the same authors as the original Industroyer. The malware is associated with attacks on critical energy infrastructure, specifically high-voltage substations and electric utilities in Ukraine, and reporting warns that Sandworm’s continued maintenance of this tooling demonstrates an ongoing threat to electricity and energy infrastructure beyond Ukraine.
Detection-oriented content tied to Industroyer2 includes a Splunk analytic for Sysmon Event ID 5 process termination of PServiceControl.exe and PService_PPD.exe, described as processes related to energy facility networks, as well as a generated Sysmon dataset for Industroyer2 dated 2022-04-22 for testing and replay workflows.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
CERT-UA and ESET issued advisories that the Sandworm hacker group ... had targeted high-voltage electrical substations in Ukraine using a variation on a piece of malware known as Industroyer or Crash Override. The new malware, dubbed Industroyer2, can interact directly with equipment in electrical utilities to send commands to substation devices that control the flow of power...
Techniques & procedures
13 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 technique
Execution
Persistence
3 techniques
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Defense Impairment
1 technique
Defense Impairment
Credential Access
1 technique
Credential Access
Related Detections ... Dump LSASS via procdump ... Creation of lsass Dump with Taskmgr ... Access LSASS Memory for Dump Creation ... Detect Credential Dumping through LSASS access ... Dump LSASS via comsvcs DLL ... Windows Credential Dumping LSASS Memory Createdump ... Windows Possible Credential Dumping
Discovery
3 techniques
Discovery
"The functionalities of the payload components include mapping the network, and then issuing commands to the specific industrial control devices."
Command and Control
1 technique
Command and Control
Impact
4 techniques
Impact
Following Russia’s invasion of Ukraine on 24 February 2022, likely Russian threat actors conducted several disruptive and destructive computer network attacks against Ukrainian targets... To date, there are eight tracked malware families that Russia-linked cyber threat actors have used for destructive activity against Ukraine: WhisperGate/Whisperkill, FoxBlade (HermeticWiper), SonicVote (HermeticRansom), CaddyWiper, DesertBlade, Industroyer2, Lasainraw (IsaacWiper) and FiberLake (DoubleZero).
The following analytic detects attempts to stop or clear a service on Linux systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes like "systemctl," "service," and "svcadm" executing stop commands.
Recent activity
39 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Более целевая версия Industroyer, ориентированная на прямое взаимодействие с протоколом IEC 104 на электроподстанциях для нарушения энергоснабжения.
Updated OT malware used in an attempted power disruption during the Ukraine war.
Referenced as an example of credible OT malware that includes environment-specific configuration such as IPs, ports, and IEC-104 parameters needed to affect industrial processes.
Updated variant of Industroyer designed to disrupt electrical infrastructure in Ukraine through operational technology attack paths.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.