User:Blaza7373/sandbox

This is the user sandbox of Blaza7373. A user sandbox is a subpage of the user's user page. It serves as a testing spot and page development space for the user and is not an encyclopedia article. Create or edit your own sandbox here.

Other sandboxes: Main sandbox | Template sandbox

Finished writing a draft article? Are you ready to request review of it by an experienced editor for possible inclusion in Wikipedia? Submit your draft for review!

Industroyer[edit]

Industroyer (also referred to as Crashoverride) is a malware framework considered to have been used in the cyberattack on Ukraine’s power grid on December 17, 2016. ^[1] ^[2] ^[3] The attack cut a part of Kiev, the capital, off power for one hour and is considered to have been a large-scale test. ^[4] Industroyer is the first ever known malware specifically designed to attack electrical grids. ^[5] At the same time, it is the fourth malware publicly revealed to target Industrial Control Systems, after Stuxnet, Havex, and BlackEnergy.^[5]

Discovery and Naming[edit]

The malware was discovered by Slovak internet security company ESET. ESET and most of the cybersecurity companies detect it under the name “Industroyer”.^[6] ^[7] Cybersecurity firm Dragos named the malware “Crashoverride”. ^[5]

Description[edit]

Researchers who analyzed Industroyer ^[5] ^[8] revealed that the malware was designed to disrupt the working processes of industrial control systems, specifically those used in electrical substations. Industroyer is modular malware; its main components are the following:

A main backdoor is used to control all other components of the malware. It connects to its remote Command & Control servers in order to receive commands from the attackers.
An additional backdoor provides an alternative persistence mechanism that allows the attackers to regain access to a targeted network in case the main backdoor is detected and/or disabled.
A launcher component is a separate executable responsible for launching the payload components and the data wiper component. The launcher component contains a specific activation time and date; analyzed samples contained two dates: December 17th, 2016 and December 20th, 2016. (Note: the former date was the date the attack actually went ahead.)
Four payload components target particular industrial communication protocols specified in the following standards: IEC 60870-5-101, IEC 60870-5-104, IEC 61850, and OLE for Process Control Data Access (OPC Data Access). The functionalities of the payload components include mapping the network, and then issuing commands to the specific industrial control devices.
A data wiper component is designed to erase system-crucial Registry keys and overwrite files to make the system unbootable and recovery from the attack harder.

References[edit]

^ "NPC Ukrenergo official statement". Facebook. 2016-12-18.
^ Pavel Polityuk, Oleg Vukmanovic and Stephen Jewkes (2017-01-18). "Ukraine's power outage was a cyber attack: Ukrenergo". Reuters.
^ Anton Cherepanov (2017-06-17). "Industroyer: Biggest threat to industrial control systems since Stuxnet". WeLiveSecurity.
^ Kim Zetter (2017-01-17). "The Ukrainian Power Grid Was Hacked Again". Motherboard.
^ ^a ^b ^c ^d Dragos Inc. (2017-06-12). "CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations" (PDF). Dragos. Cite error: The named reference "Dragos" was defined multiple times with different content (see the help page).
^ "Industroyer main backdoor detections VT1". Virustotal. 2017-06-27.
^ "Industroyer data wiper component detections VT2". Virustotal. 2017-06-27.
^ Anton Cherepanov (2017-06-12). "WIN32/INDUSTROYER A new threat for industrial control systems" (PDF). WeLiveSecurity.

User:Blaza7373/sandbox

Industroyer[edit]

Discovery and Naming[edit]

Description[edit]

See also[edit]

References[edit]

Further reading[edit]