Industroyer, Software S0604

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v16/theme/favicon.ico" type='image/x-icon'> <title>Industroyer, Software S0604 | MITRE ATT&CK®</title>   <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap-tourist.css" /> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap-select.min.css" />  <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/versions/v16/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1">  <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href="/versions/v16/"><img src="/versions/v16/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/versions/v16/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/versions/v16/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/groups">Groups</a> <a class="dropdown-item" href="/versions/v16/software">Software</a> <a class="dropdown-item" href="/versions/v16/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/resources/">Get Started</a> <a class="dropdown-item" href="/versions/v16/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/versions/v16/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v16/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/versions/v16/resources/faq/">FAQ</a> <a class="dropdown-item" href="/versions/v16/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/versions/v16/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/versions/v16/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>  <img src="/versions/v16/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1">  <div class="col px-0">  <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v16/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v16.1" target="_blank">ATT&CK v16.1</a> which is the current version of ATT&CK. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> <div class="container-fluid d-none"> Reminder: the TAXII 2.0 server will be <a href='https://medium.com/mitre-attack/introducing-taxii-2-1-and-a-fond-farewell-to-taxii-2-0-d9fca6ce4c58'>retiring on December 18</a>. Please switch to the <a href='https://github.com/mitre-attack/attack-workbench-taxii-server/blob/main/docs/USAGE.md'>TAXII 2.1 server</a> to ensure uninterrupted service. </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0">   <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div>  <div id="sidebars"></div>  </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v16/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v16/software/">Software</a></li> <li class="breadcrumb-item">Industroyer</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> Industroyer </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p><a href="/versions/v16/software/S0604">Industroyer</a> is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020."data-reference="ESET Industroyer"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> <a href="/versions/v16/software/S0604">Industroyer</a> was used in the attacks on the Ukrainian power grid in December 2016.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2017"><sup><a href="https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span> This is the first publicly known malware specifically designed to target and impact operations in the electric grid.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018"><sup><a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span></p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div id="card-id" class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID: </span>S0604 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="Names that have overlapping reference to a software entry and may refer to the same or similar software in threat intelligence reporting">ⓘ</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Associated Software</span>: CRASHOVERRIDE, Win32/Industroyer </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="This software is commercial, custom closed source, or open source software intended to be used for malicious purposes by adversaries">ⓘ</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Type</span>: MALWARE </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">ⓘ</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Platforms</span>: Windows </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Contributors</span>: Dragos Threat Intelligence; Joe Slowik - Dragos </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version</span>: 1.1 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created: </span>04 January 2021 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified: </span>11 April 2024 </div> </div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of S0604" href="/versions/v16/software/S0604/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of S0604" href="/software/S0604/" data-test-ignore="true">Live Version</a> </div> </div> </div> </div> <h2 class="pt-3" id ="aliasDescription">Associated Software Descriptions</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> CRASHOVERRIDE </td> <td> <p><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2017"><sup><a href="https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr> <td> Win32/Industroyer </td> <td> <p><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020."data-reference="ESET Industroyer"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> </tbody> </table> </div>  <div class="dropdown h3 mt-3 float-right"> <button class="btn btn-navy dropdown-toggle" type="button" id="dropdownMenuButton" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>ATT&CK<sup>®</sup> Navigator Layers</b> </button> <div class="dropdown-menu" aria-labelledby="dropdownMenuButton"> <h6 class="dropdown-header">Enterprise Layer</h6> <a class="dropdown-item" href="/versions/v16/software/S0604/S0604-enterprise-layer.json" download target="_blank">download</a>  <a class="dropdown-item" href="#" id="view-layer-on-navigator-enterprise" target="_blank">view <img width="10" src="/versions/v16/theme/images/external-site-dark.jpeg"></a> <script src="/versions/v16/theme/scripts/settings.js"></script> <script> if (window.location.protocol == "https:") { //view on navigator only works when this site is hosted on HTTPS var layerURL = window.location.protocol + "//" + window.location.host + base_url + "software/S0604/S0604-enterprise-layer.json"; document.getElementById("view-layer-on-navigator-enterprise").href = "https://mitre-attack.github.io/attack-navigator//#layerURL=" + encodeURIComponent(layerURL); } else { //hide button document.getElementById("view-layer-on-navigator-enterprise").classList.add("d-none"); } </script> <div class="dropdown-divider"></div> <h6 class="dropdown-header">ICS Layer</h6> <a class="dropdown-item" href="/versions/v16/software/S0604/S0604-ics-layer.json" download target="_blank">download</a>  <a class="dropdown-item" href="#" id="view-layer-on-navigator-ics" target="_blank">view <img width="10" src="/versions/v16/theme/images/external-site-dark.jpeg"></a> <script src="/versions/v16/theme/scripts/settings.js"></script> <script> if (window.location.protocol == "https:") { //view on navigator only works when this site is hosted on HTTPS var layerURL = window.location.protocol + "//" + window.location.host + base_url + "software/S0604/S0604-ics-layer.json"; document.getElementById("view-layer-on-navigator-ics").href = "https://mitre-attack.github.io/attack-navigator//#layerURL=" + encodeURIComponent(layerURL); } else { //hide button document.getElementById("view-layer-on-navigator-ics").classList.add("d-none"); } </script> </div> </div>  <h2 class="pt-3 mb-2" id="techniques">Techniques Used</h2> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Use</th> </tr> </thead> <tbody> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1071">T1071</a> </td> <td> <a href="/versions/v16/techniques/T1071/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/001">Web Protocols</a> </td> <td> <p><a href="/versions/v16/software/S0604">Industroyer</a>鈥檚 main backdoor connected to a remote C2 server using HTTPS.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020."data-reference="ESET Industroyer"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1554">T1554</a> </td> <td> <a href="/versions/v16/techniques/T1554">Compromise Host Software Binary</a> </td> <td> <p><a href="/versions/v16/software/S0604">Industroyer</a> has used a Trojanized version of the Windows Notepad application for an additional backdoor persistence mechanism.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020."data-reference="ESET Industroyer"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1543">T1543</a> </td> <td> <a href="/versions/v16/techniques/T1543/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1543">Create or Modify System Process</a>: <a href="/versions/v16/techniques/T1543/003">Windows Service</a> </td> <td> <p><a href="/versions/v16/software/S0604">Industroyer</a> can use an arbitrary system service to load at system boot for persistence and replaces the ImagePath registry value of a Windows service with a new backdoor binary.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2017"><sup><a href="https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span> </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1485">T1485</a> </td> <td> <a href="/versions/v16/techniques/T1485">Data Destruction</a> </td> <td> <p><a href="/versions/v16/software/S0604">Industroyer</a>鈥檚 data wiper module clears registry keys and overwrites both ICS configuration and Windows files.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2017"><sup><a href="https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1140">T1140</a> </td> <td> <a href="/versions/v16/techniques/T1140">Deobfuscate/Decode Files or Information</a> </td> <td> <p><a href="/versions/v16/software/S0604">Industroyer</a> decrypts code to connect to a remote C2 server.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020."data-reference="ESET Industroyer"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1499">T1499</a> </td> <td> <a href="/versions/v16/techniques/T1499/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1499">Endpoint Denial of Service</a>: <a href="/versions/v16/techniques/T1499/004">Application or System Exploitation</a> </td> <td> <p><a href="/versions/v16/software/S0604">Industroyer</a> uses a custom DoS tool that leverages CVE-2015-5374 and targets hardcoded IP addresses of Siemens SIPROTEC devices.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020."data-reference="ESET Industroyer"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1041">T1041</a> </td> <td> <a href="/versions/v16/techniques/T1041">Exfiltration Over C2 Channel</a> </td> <td> <p><a href="/versions/v16/software/S0604">Industroyer</a> sends information about hardware profiles and previously-received commands back to the C2 server in a POST-request.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020."data-reference="ESET Industroyer"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1083">T1083</a> </td> <td> <a href="/versions/v16/techniques/T1083">File and Directory Discovery</a> </td> <td> <p><a href="/versions/v16/software/S0604">Industroyer</a>鈥檚 data wiper component enumerates specific files on all the Windows drives.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020."data-reference="ESET Industroyer"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1105">T1105</a> </td> <td> <a href="/versions/v16/techniques/T1105">Ingress Tool Transfer</a> </td> <td> <p><a href="/versions/v16/software/S0604">Industroyer</a> downloads a shellcode payload from a remote C2 server and loads it into memory.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020."data-reference="ESET Industroyer"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1046">T1046</a> </td> <td> <a href="/versions/v16/techniques/T1046">Network Service Discovery</a> </td> <td> <p><a href="/versions/v16/software/S0604">Industroyer</a> uses a custom port scanner to map out a network.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020."data-reference="ESET Industroyer"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1027">T1027</a> </td> <td> <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a> </td> <td> <p><a href="/versions/v16/software/S0604">Industroyer</a> uses heavily obfuscated code in its Windows Notepad backdoor.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020."data-reference="ESET Industroyer"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1572">T1572</a> </td> <td> <a href="/versions/v16/techniques/T1572">Protocol Tunneling</a> </td> <td> <p><a href="/versions/v16/software/S0604">Industroyer</a> attempts to perform an HTTP CONNECT via an internal proxy to establish a tunnel.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2017"><sup><a href="https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1090">T1090</a> </td> <td> <a href="/versions/v16/techniques/T1090/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1090">Proxy</a>: <a href="/versions/v16/techniques/T1090/003">Multi-hop Proxy</a> </td> <td> <p><a href="/versions/v16/software/S0604">Industroyer</a> used <a href="/versions/v16/software/S0183">Tor</a> nodes for C2.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2017"><sup><a href="https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1012">T1012</a> </td> <td> <a href="/versions/v16/techniques/T1012">Query Registry</a> </td> <td> <p><a href="/versions/v16/software/S0604">Industroyer</a> has a data wiper component that enumerates keys in the Registry <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services</code>.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020."data-reference="ESET Industroyer"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1018">T1018</a> </td> <td> <a href="/versions/v16/techniques/T1018">Remote System Discovery</a> </td> <td> <p><a href="/versions/v16/software/S0604">Industroyer</a> can enumerate remote computers in the compromised network.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020."data-reference="ESET Industroyer"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1489">T1489</a> </td> <td> <a href="/versions/v16/techniques/T1489">Service Stop</a> </td> <td> <p><a href="/versions/v16/software/S0604">Industroyer</a>鈥檚 data wiper module writes zeros into the registry keys in <code>SYSTEM\CurrentControlSet\Services</code> to render a system inoperable.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2017"><sup><a href="https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1082">T1082</a> </td> <td> <a href="/versions/v16/techniques/T1082">System Information Discovery</a> </td> <td> <p><a href="/versions/v16/software/S0604">Industroyer</a> collects the victim machine鈥檚 Windows GUID.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2017"><sup><a href="https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1016">T1016</a> </td> <td> <a href="/versions/v16/techniques/T1016">System Network Configuration Discovery</a> </td> <td> <p><a href="/versions/v16/software/S0604">Industroyer</a>鈥檚 61850 payload component enumerates connected network adapters and their corresponding IP addresses.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020."data-reference="ESET Industroyer"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1078">T1078</a> </td> <td> <a href="/versions/v16/techniques/T1078">Valid Accounts</a> </td> <td> <p><a href="/versions/v16/software/S0604">Industroyer</a> can use supplied user credentials to execute processes and stop services.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020."data-reference="ESET Industroyer"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0800">T0800</a> </td> <td> <a href="/versions/v16/techniques/T0800">Activate Firmware Update Mode</a> </td> <td> <p>The <a href="/versions/v16/software/S0604">Industroyer</a> SIPROTEC DoS module places the victim device into firmware update mode. This is a legitimate use case under normal circumstances, but in this case is used the adversary to prevent the SIPROTEC from performing its designed protective functions. As a result the normal safeguards are disabled, leaving an unprotected link in the electric transmission. <span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Joe Slowik 2019, August 15 CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack Retrieved. 2019/10/22 "data-reference="Joe Slowik August 2019"><sup><a href="https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0802">T0802</a> </td> <td> <a href="/versions/v16/techniques/T0802">Automated Collection</a> </td> <td> <p><a href="/versions/v16/software/S0604">Industroyer</a> automatically collects protocol object data to learn about control devices in the environment. <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 "data-reference="Anton Cherepanov, ESET June 2017"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0803">T0803</a> </td> <td> <a href="/versions/v16/techniques/T0803">Block Command Message</a> </td> <td> <p>In <a href="/versions/v16/software/S0604">Industroyer</a> the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device. <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 "data-reference="Anton Cherepanov, ESET June 2017"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0804">T0804</a> </td> <td> <a href="/versions/v16/techniques/T0804">Block Reporting Message</a> </td> <td> <p><a href="/versions/v16/software/S0604">Industroyer</a> uses the first COM port from the configuration file for the communication and the other two COM ports are opened to prevent other processes accessing them. This may block processes or operators from getting reporting messages from a device. <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 "data-reference="Anton Cherepanov, ESET June 2017"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0805">T0805</a> </td> <td> <a href="/versions/v16/techniques/T0805">Block Serial COM</a> </td> <td> <p>In <a href="/versions/v16/software/S0604">Industroyer</a> the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device. <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 "data-reference="Anton Cherepanov, ESET June 2017"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0806">T0806</a> </td> <td> <a href="/versions/v16/techniques/T0806">Brute Force I/O</a> </td> <td> <p>The <a href="/versions/v16/software/S0604">Industroyer</a> IEC 104 module has 3 modes available to perform its attack. These modes are range, shift, and sequence. The range mode operates in 2 stages. The first stage of range mode gathers Information Object Addresses (IOA) and sends select and execute packets to switch the state. The second stage of range mode has an infinite loop where it will switch the state of all of the previously discovered IOAs. Shift mode is similar to range mode, but instead of staying within the same range, it will add a shift value to the default range values. <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 "data-reference="Anton Cherepanov, ESET June 2017"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0807">T0807</a> </td> <td> <a href="/versions/v16/techniques/T0807">Command-Line Interface</a> </td> <td> <p>The name of the <a href="/versions/v16/software/S0604">Industroyer</a> payload DLL is supplied by the attackers via a command line parameter supplied in one of the main backdoors execute a shell command commands. <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 "data-reference="Anton Cherepanov, ESET June 2017"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0884">T0884</a> </td> <td> <a href="/versions/v16/techniques/T0884">Connection Proxy</a> </td> <td> <p><a href="/versions/v16/software/S0604">Industroyer</a> attempts to connect with a hardcoded internal proxy on TCP 3128 [default Squid proxy]. If established, the backdoor attempts to reach an external C2 server via the internal proxy. <span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Dragos Inc. 2017, June 13 Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations Retrieved. 2017/09/18 "data-reference="Dragos Inc. June 2017"><sup><a href="https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a></sup></span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0809">T0809</a> </td> <td> <a href="/versions/v16/techniques/T0809">Data Destruction</a> </td> <td> <p><a href="/versions/v16/software/S0604">Industroyer</a> has a destructive wiper that overwrites all ICS configuration files across the hard drives and all mapped network drives specifically targeting ABB PCM600 configuration files. <span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Dragos Inc. 2017, June 13 Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations Retrieved. 2017/09/18 "data-reference="Dragos Inc. June 2017"><sup><a href="https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a></sup></span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0813">T0813</a> </td> <td> <a href="/versions/v16/techniques/T0813">Denial of Control</a> </td> <td> <p><a href="/versions/v16/software/S0604">Industroyer</a> is able to block serial COM channels temporarily causing a denial of control. <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 "data-reference="Anton Cherepanov, ESET June 2017"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0814">T0814</a> </td> <td> <a href="/versions/v16/techniques/T0814">Denial of Service</a> </td> <td> <p>The <a href="/versions/v16/software/S0604">Industroyer</a> SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. Once this vulnerability is successfully exploited, the target device stops responding to any commands until it is rebooted manually. <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 "data-reference="Anton Cherepanov, ESET June 2017"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span> Once the tool is executed it sends specifically crafted packets to port 50,000 of the target IP addresses using UDP. The UDP packet contains the following 18 byte payload: 0x11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E. <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 "data-reference="Anton Cherepanov, ESET June 2017"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0815">T0815</a> </td> <td> <a href="/versions/v16/techniques/T0815">Denial of View</a> </td> <td> <p><a href="/versions/v16/software/S0604">Industroyer</a> is able to block serial COM channels temporarily causing a denial of view. <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 "data-reference="Anton Cherepanov, ESET June 2017"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0816">T0816</a> </td> <td> <a href="/versions/v16/techniques/T0816">Device Restart/Shutdown</a> </td> <td> <p>The <a href="/versions/v16/software/S0604">Industroyer</a> SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. While the vulnerability does not directly cause the restart or shutdown of the device, the device must be restarted manually before it can resume operations. <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 "data-reference="Anton Cherepanov, ESET June 2017"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0827">T0827</a> </td> <td> <a href="/versions/v16/techniques/T0827">Loss of Control</a> </td> <td> <p><a href="/versions/v16/software/S0604">Industroyer</a>'s data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable. <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 "data-reference="Anton Cherepanov, ESET June 2017"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0837">T0837</a> </td> <td> <a href="/versions/v16/techniques/T0837">Loss of Protection</a> </td> <td> <p><a href="/versions/v16/software/S0604">Industroyer</a> contained a module which leveraged a vulnerability in the Siemens SIPROTEC relays (CVE-2015-5374) to create a Denial of Service against automated protective relays. <span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Joe Slowik 2019, August 15 CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack Retrieved. 2019/10/22 "data-reference="Joe Slowik August 2019"><sup><a href="https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0829">T0829</a> </td> <td> <a href="/versions/v16/techniques/T0829">Loss of View</a> </td> <td> <p><a href="/versions/v16/software/S0604">Industroyer</a>'s data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable. <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 "data-reference="Anton Cherepanov, ESET June 2017"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0831">T0831</a> </td> <td> <a href="/versions/v16/techniques/T0831">Manipulation of Control</a> </td> <td> <p><a href="/versions/v16/software/S0604">Industroyer</a> toggles breakers to the open state utilizing unauthorized command messages. <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 "data-reference="Anton Cherepanov, ESET June 2017"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0832">T0832</a> </td> <td> <a href="/versions/v16/techniques/T0832">Manipulation of View</a> </td> <td> <p><a href="/versions/v16/software/S0604">Industroyer</a>'s OPC module can brute force values and will send out a 0x01 status which for the target systems equates to a Primary Variable Out of Limits misdirecting operators from understanding protective relay status. <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 "data-reference="Anton Cherepanov, ESET June 2017"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0801">T0801</a> </td> <td> <a href="/versions/v16/techniques/T0801">Monitor Process State</a> </td> <td> <p><a href="/versions/v16/software/S0604">Industroyer</a>'s OPC and IEC 61850 protocol modules include the ability to send stVal requests to read the status of operational variables. <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 "data-reference="Anton Cherepanov, ESET June 2017"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0840">T0840</a> </td> <td> <a href="/versions/v16/techniques/T0840">Network Connection Enumeration</a> </td> <td> <p><a href="/versions/v16/software/S0604">Industroyer</a> contains an IEC 61850 module that enumerates all connected network adapters to determine their TCP/IP subnet masks. <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 "data-reference="Anton Cherepanov, ESET June 2017"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0846">T0846</a> </td> <td> <a href="/versions/v16/techniques/T0846">Remote System Discovery</a> </td> <td> <p>The <a href="/versions/v16/software/S0604">Industroyer</a> IEC 61850 payload component has the ability to discover relevant devices in the infected host's network subnet by attempting to connect on port 102.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 "data-reference="Anton Cherepanov, ESET June 2017"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p><p><a href="/versions/v16/software/S0604">Industroyer</a> contains an OPC DA module that enumerates all OPC servers using the <code>ICatInformation::EnumClassesOfCategories</code> method with <code>CATID_OPCDAServer20</code> category identifier and <code>IOPCServer::GetStatus</code> to identify the ones running.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0888">T0888</a> </td> <td> <a href="/versions/v16/techniques/T0888">Remote System Information Discovery</a> </td> <td> <p>The <a href="/versions/v16/software/S0604">Industroyer</a> IEC 61850 component sends the domain-specific MMSgetNameList request to determine what logical nodes the device supports. It then searches the logical nodes for the CSW value, which indicates the device performs a circuit breaker or switch control function.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020."data-reference="ESET Industroyer"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p><p><a href="/versions/v16/software/S0604">Industroyer</a>'s OPC DA module also uses IOPCBrowseServerAddressSpace to look for items with the following strings: ctlSelOn, ctlOperOn, ctlSelOff, ctlOperOff, Pos and stVal.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020."data-reference="ESET Industroyer"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p><p><a href="/versions/v16/software/S0604">Industroyer</a> IEC 60870-5-104 module includes a range mode to discover Information Object Addresses (IOAs) by enumerating through each.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020."data-reference="ESET Industroyer"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0881">T0881</a> </td> <td> <a href="/versions/v16/techniques/T0881">Service Stop</a> </td> <td> <p><a href="/versions/v16/software/S0604">Industroyer</a> has the capability to stop a service itself, or to login as a user and stop a service as that user. <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 "data-reference="Anton Cherepanov, ESET June 2017"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0855">T0855</a> </td> <td> <a href="/versions/v16/techniques/T0855">Unauthorized Command Message</a> </td> <td> <p>Using its protocol payloads, <a href="/versions/v16/software/S0604">Industroyer</a> sends unauthorized commands to RTUs to change the state of equipment. <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 "data-reference="Anton Cherepanov, ESET June 2017"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="groups">Groups That Use This Software</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col" width="20%">Name</th> <th scope="col">References</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v16/groups/G0034">G0034</a> </td> <td> <a href="/versions/v16/groups/G0034">Sandworm Team</a> </td> <td> <p><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018"><sup><a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2017"><sup><a href="https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020."data-reference="ESET Industroyer"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020."data-reference="Secureworks IRON VIKING"><sup><a href="https://www.secureworks.com/research/threat-profiles/iron-viking" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a></sup></span><span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024."data-reference="mandiant_apt44_unearthing_sandworm"><sup><a href="https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a></sup></span><span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020"><sup><a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Joe Slowik 2019, August 15 CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack Retrieved. 2019/10/22 "data-reference="Joe Slowik August 2019"><sup><a href="https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="campaigns">Campaigns</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v16/campaigns/C0025">C0025</a> </td> <td> <a href="/versions/v16/campaigns/C0025">2016 Ukraine Electric Power Attack</a> </td> <td> <p>Within the <a href="https://attack.mitre.org/campaigns/C0025">2016 Ukraine Electric Power Attack</a>, <a href="/versions/v16/software/S0604">Industroyer</a> was used to target and disrupt the Ukrainian power grid substation components.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018"><sup><a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020."data-reference="ESET Industroyer"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank"> Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" target="_blank"> Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank"> Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf" target="_blank"> Joe Slowik 2019, August 15 CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack Retrieved. 2019/10/22 </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank"> Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="6.0"> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" target="_blank"> Dragos Inc. 2017, June 13 Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations Retrieved. 2017/09/18 </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://www.secureworks.com/research/threat-profiles/iron-viking" target="_blank"> Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf" target="_blank"> Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank"> Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div>   <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner">  <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div>  <div id="search-body" class="search-body"> <div class="results" id="search-results">  </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1">  <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v16/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/versions/v16/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&CK content v16.1Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> © 2015 - 2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div>  </div>  <script src="/versions/v16/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v16/theme/scripts/popper.min.js"></script> <script src="/versions/v16/theme/scripts/bootstrap-select.min.js"></script> <script src="/versions/v16/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v16/theme/scripts/site.js"></script> <script src="/versions/v16/theme/scripts/settings.js"></script> <script src="/versions/v16/theme/scripts/search_bundle.js"></script>  <script src="/versions/v16/theme/scripts/resizer.js"></script>  <script src="/versions/v16/theme/scripts/sidebar-load-all.js"></script> <script src="/versions/v16/theme/scripts/bootstrap-tourist.js"></script> <script src="/versions/v16/theme/scripts/settings.js"></script> <script src="/versions/v16/theme/scripts/tour/tour-relationships.js"></script> </body> </html>

CINXE.COM

Industroyer, Software S0604 | MITRE ATT&CK®