Crash Override, also known as Industroyer, is custom-built industrial control system malware associated with Sandworm, the Russian GRU-linked threat group also referred to as GRU Unit 74455. It was used in the 2016 cyberattack on Ukraine’s power grid that caused a blackout. The malware is designed to automate disruptive actions in electric utility environments by sending commands over multiple industrial protocols to open circuit breakers. The provided content explicitly links Crash Override/Industroyer to Sandworm’s 2016 Ukraine blackout activity and contrasts it with later Sandworm operations, including a 2022 attempted blackout using Industroyer2, described as a newer version of the same malware family. High-confidence targeting reflected in the content is Ukrainian electric utilities and power grid infrastructure.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 distinct technique documented for this family, organized by ATT&CK tactic.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Industrial-control-focused malware discussed in connection with the 2016 Ukraine blackout and automated targeting of critical infrastructure.
Custom ICS-focused malware used to disrupt electric power operations by sending protocol commands to open circuit breakers at substations, enabling blackout-causing attacks.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.