[Report based on MITRE ATT&CK: Industroyer 2] "The Most Critical OT Cyberattack"

-


 

Industroyer 2 Attack – The Most Critical Cyber Threat to Power Grids

Industroyer 2 is a highly advanced cyberattack specifically designed to target power grid infrastructure. It is an evolution of Industroyer (CrashOverride), which was responsible for the 2016 cyberattack on Ukraine's power grid. Industroyer 2 was discovered in April 2022, once again targeting Ukraine’s high-voltage electrical substations. This attack demonstrated an advanced understanding of OT protocols, particularly those used in energy sector operations.

1. Overview of Industroyer 2 Attack

  • First Detected: April 2022
  • Primary Target: Ukrainian Power Grid
  • Attackers: Sandworm (APT Group, linked to Russian GRU intelligence)
  • Main Objective: Cause a blackout by disabling protective relays and circuit breakers in high-voltage substations
  • Targeted System: IEC 60870-5-104-based SCADA systems controlling power substations
  • Entry Method: Compromised VPN credentials, lateral movement via Windows domain
  • Impact: Attempted shutdown of power distribution, but partially mitigated
  • Potential Consequences: If fully successful, it could have caused prolonged blackouts across Ukraine, disrupting critical infrastructure

2. Attack Methodology Based on MITRE ATT&CK for ICS

Industroyer 2 was designed to take direct control of electrical substations by leveraging vulnerabilities in industrial communication protocols. Below is a breakdown of the attack mapped to the MITRE ATT&CK for ICS framework:

TacticIndustroyer 2 Attack Techniques
Initial Access (T0815)Attackers gained access via stolen VPN credentials to an IT system managing the OT.
Execution (T0868)Custom malware was deployed to execute malicious commands on OT devices controlling substations.
Persistence (T0889)Attackers deployed backdoors to maintain access and control over the energy control systems.
Privilege Escalation (T0857)Exploited Windows domain administrator credentials to take control of SCADA workstations.
Discovery (T0847, T0844)Used network scanning tools to identify IEC 60870-5-104 protocol controllers.
Lateral Movement (T0883, T0856)Moved laterally from IT network to OT network using compromised administrator credentials.
Command and Control (T0866, T0871)Established C2 communication via VPN tunnels and Windows scheduled tasks.
Inhibit Response Function (T0803, T0879)Sent malicious IEC 60870-5-104 commands to disable circuit breakers and disconnect power substations.
Impact (T0806, T0807, T0828)Disrupted power grid operations by remotely issuing load-shedding commands.

3. Targeted OT System Model & Vulnerabilities

Industroyer 2 specifically targeted power grid substations by exploiting vulnerabilities in SCADA-controlled electrical distribution networks.

  • Targeted OT: SCADA systems managing Ukrainian power substations
  • OT Protocols Affected: IEC 60870-5-104 (Power Grid Remote Control), IEC 61850 MMS (Substation Automation),  OPC DA (OLE for Process Control Data Access)
  • Targeted Devices: RTUs (Remote Terminal Units), Protective Relays, Circuit Breaker Controllers
  • Exploited Vulnerabilities: Weak authentication on VPN access, Unpatched Windows domain controllers in the OT network

4. Damage Scale & Global Impact

Impact on the Ukrainian Power Grid

  • Partial shutdown of electrical substations, but the attack was detected and mitigated before a large-scale blackout occurred.
  • Industroyer 2 was programmed to automate power disruptions, reducing the need for human intervention.

Global Repercussions

  • Highlighted the vulnerability of energy grids worldwide to state-sponsored cyberattacks.
  • Energy sector cybersecurity guidelines were revised globally to enhance OT network segmentation and monitor industrial protocols.

5. Defense Measures Against OT Cyber Threats

  • Zero Trust Architecture for OT Networks: Strict identity verification for all users and devices connecting to the OT network.
  • Multi-Factor Authentication (MFA) for Remote AccessEnforce MFA for VPNs and remote engineering workstations.
  • Firmware & Software Updates for RTUs & PLCsEnsure SCADA controllers & protective relays are patched against vulnerabilities.
  • OT Network Monitoring & Threat HuntingDeploy intrusion detection systems (IDS) for monitoring IEC 60870-5-104 & MMS traffic.
  • Enhanced Logging & Incident Response DrillsImprove forensic logging for early detection of anomalous commands in power grid networks.

6. Industroyer 2-Related Signatures & Indicators of Compromise (IOCs)

File & Registry Signatures

  • Malicious IEC 60870-5-104 Control Commands
  • Suspicious execution of custom-built malware designed to control substation RTUs

Network Activity

  • Unusual traffic using IEC 60870-5-104 commands outside normal operational hours
  • Unauthorized SCADA commands executed from compromised domain controllers

Exploited Vulnerabilities

  • Unknown OT Vulnerabilities Exploited: Attackers used custom-built malware to send rogue IEC 60870-5-104 commands to substations.

7.  Other Malware Related to Industroyer 2

  • Industroyer/CrashOverride(2016: Ukrainian Power Grid): First OT malware designed to control substations
  • PIPEDREAM/Incontroller(2022: Multiple OT)Modular malware targeting power, oil & gas PLCs

Conclusion

Industroyer 2 is one of the most advanced OT-targeted cyberattacks ever observed, demonstrating how state-sponsored adversaries can manipulate critical infrastructure using industrial protocols. If the attack had fully succeeded, it could have resulted in large-scale blackouts across Ukraine.


#CPS #OT #XIoT #IoT #IIoT #IoMT #CPSSecurity #OTSecurity #IoTSecurity #CPS보안 #OT보안 #IoT보안

Comments

Post a Comment

Popular posts from this blog

Don't confuse DCS, PLC and SCADA in front of OT specialists

-
Image
DCS, PLC and SCADA are not the same. If you keep talking only about PLC security in front of the Oil&Gas industry executives where DCS is the main focus, they will not recognize you as a proper expert. We need to understand the characteristics of OT systems such as DCS, PLC, and SCADA accurately, also respect each OT culture uniquely and finally approach the sites in the right way. Don't be confused, here’s a clear and accurate explanation of DCS, PLC, and SCADA . 1. Distributed Control System (DCS) Concept A DCS (Distributed Control System) is an automated control system used for large-scale industrial processes that require continuous operation and high reliability. It consists of multiple controllers distributed throughout the system, which communicate with each other to manage complex processes. Key Features Used in large-scale, continuous processes (e.g., oil refineries, power plants). Decentralized control architecture with multiple controllers working together. Pr...
Read more

Top 20 Threat Scenarios & Playbooks for OT Security

-
Image
A comprehensive list of 20 threat scenarios in OT security along with detailed descriptions and detection rules that can help identify and respond to these threats. This playbook-style table covers different types of attacks—from unauthorized access to insider abuse—with corresponding rules and indicators to alert security teams. # Threat Scenario Detailed Description Detection Rules & Indicators 1 Unauthorized Remote Access Attempt An attacker uses stolen or weak credentials to access OT networks remotely. - Log Analysis: Monitor VPN/RDP logs for unusual login times, geolocation mismatches, and failed/successful login bursts. - User Behavior Analytics (UBA): Alert on deviations from normal remote access patterns. - Anomaly Detection: Trigger an alert when a remote session is initiated from an unusual IP or geographic region. 2 Malware/Ransomware Infiltration in OT Network Malicious code is introduced into the OT network via compromised endpoints or phishing, potentially encr...
Read more

Let's create our own ICS Labs in the VMs!

-
Image
Let's create our own ICS Labs in the VMs: A Step-by-Step Guide Building an Industrial Control System (ICS) lab in a virtualized environment allows security researchers, engineers, and penetration testers to safely simulate industrial networks, study threats, and test security defenses. Below is a detailed step-by-step guide to creating an ICS lab , including HMI, EWS, PLC, and other critical components. 1. Lab Architecture Overview Key Components in an ICS Lab: HMI: Graphical interface for controlling industrial processes. Engineering Workstation (EWS): Used to configure PLCs and SCADA systems. PLC: Controls physical processes (e.g., motors, valves). SCADA System: Supervisory control and monitoring of ICS networks. Historian: Logs and stores process data for analysis. Networking Components: Virtualized switches, routers, and firewalls to segment ICS networks. Attacker Machine: Kali Linux or Metasploit for penetration testing. 2. Choosing the Virtualization ...
Read more