INDUSTROYER.V2 malware allows hackers to embed customized configurations that modify behavior

Mandiant has revealed that the INDUSTROYER.V2 malware variant can enable hackers to embed customized configurations that modify the malware’s behavior to specific intelligent electronic devices (IEDs) within the target environment. The design change to embed custom configurations in INDUSTROYER.V2 reduces the effort required by the cyber hacker to reproduce the attack against different victim environments and enables cybercriminals to contain the impact to specific targeted IEDs, such as protection relays and merging units.

“INDUSTROYER.V2 is similar to its predecessor, however, this variant contains more targeted functionality,” Mandiant said in a blog post on Monday. “Unlike the original INDUSTROYER, which was a framework that leveraged external modules to implement four different OT protocols, this variant is self-contained and only implements the IEC 60870-5-104 (IEC-104) communications protocol. IEC-104 is used for power system monitoring and control over TCP and is mainly implemented in Europe and the Middle East,” it added.

Mandiant also observed that it is unclear why the hacker made the particular modifications to INDUSTROYER.V2. “Perhaps the actor wanted to develop a more streamlined version to target a very specific environment, or they did not want to expose more valuable or capable tools, or they simply believed this approach would be efficient since it would not require additional resources to impact the target,” the company added.

Regardless of the motivations, the reuse of code from known OT (operational technology) malware highlights the value of hunting and detections based on known indicators, according to the post. 

“For instance, some detections we built for the original INDUSTROYER successfully identified INDUSTROYER.V2 in the wild,” Mandiant said. “While it is often believed that OT malware is not likely to be utilized in more than one environment, tools that take advantage of insecure by design OT features—such as INDUSTROYER.V2 does—can be employed multiple times to target multiple victims. The OT security community should recognize these tools as frameworks or capabilities, and not merely features of isolated cyber security incidents and one time use tools,” it added.

Earlier this month, ESET researchers collaborated with CERT-UA to respond to a cyber incident affecting an energy provider in Ukraine. The Sandworm attackers are said to have attempted to deploy the Industroyer2 malware against high-voltage electrical substations in Ukraine. The attack used industrial control system (ICS)-capable malware and regular disk wipers for Windows, Linux, and Solaris operating systems. The attack leveraged different pieces of malware including a variant of INDUSTROYER, an attack-oriented ICS malware originally deployed in December 2016 to cause power outages in Ukraine. 

“The attack is significant not only because OT-targeted attacks are rare, but also because this is the first instance in which code from broadly known attack-oriented OT malware was redeployed against a new victim,” Mandiant said in its latest post. “Despite five years of substantial analysis into INDUSTROYER from a variety of researchers, the actor still attempted to repurpose the tool and customized it to reach new targets,” it added. 

The INDUSTROYER.V2 malware reinforces the notion that OT malware can be tailored for use against multiple victims, which has serious implications for other publicly known OT malware families like INCONTROLLER, Mandiant observed.

The two versions of INDUSTROYER contain overlaps in code and similarities in execution flow and functionality, Mandiant said. In terms of the shared features in execution and functionality, the post identified that both versions contain code that first terminates a specific process on the target remote station, prior to establishing IEC-104 communication, and that both versions craft specific ASDU messages according to provided configuration settings. The application service data unit (ASDU) is the payload of the application protocol data unit (APDU), and its data structure holds application layer information to exchange between a control center and a remote terminal unit (RTU).

In addition, Mandiant also revealed that both versions contain an ability to deliver pre-defined ASDU messages to a specified IOA range, and both versions contain an option to direct the malware to craft an additional ASDU message which inverts the previous ON/OFF command and sends it to the target remote station.

One difference Mandiant identified between both variants is that, unlike its predecessor, INDUSTROYER.V2 contains altered debugging messages which obfuscate the meaning of the outputs. “However, we note these debugging messages are formatted and printed at similar execution points of key functions. Further, the obfuscation was not implemented in key portions of IEC-104 code which are reused in both versions, which enables us to visualize the overlaps. For example, both INDUSTROYER versions use very similar code to parse APDU traffic and print specific parsed fields,” it added.

“Additional notable code overlaps between the two versions exist in implementation of ASDU frame creation, sending of APDU messages, change option execution, and thread setup for IEC-104 functionality,” Mandiant added.

Additionally, industrial cybersecurity firm Dragos has also made available details about the Chernovite Activity Group (AG) that developed Pipedream malware, a modular ICS attack framework that an adversary could use to cause disruption, degradation, and possibly even destruction depending on the targets and the environment. The initial ICS-tailored malware is assessed to be developed by a ‘state actor’ to be identified before use for its intended purpose, the company added.

These threats come at the same time as when global security agencies have issued a joint Cybersecurity Advisory (CSA) warning organizations that the Russian invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity from Russian state-sponsored cyber hackers or Russian-aligned cybercrime groups.

Mandiant proposed earlier in April the deployment of proactive security assessments in operational environments, as that involves real-world simulation of adversary techniques, which have proven to be invaluable methods for uncovering critical security issues and high-risk attack paths in enterprise environments.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.