Industroyer, or "CrashOverride" as it is alternatively called, was an attempt to cause widespread and lasting power outages in Ukraine. It was initiated on December 17, 2016, roughly 1 year after a more successful cyber attack on December 23, 2015. It may have been a follow-on effort utilizing some of the reconnaissance gained in the earlier event. Industroyer was a ‘failure’ as far as the desired results of the attackers were concerned, causing loss to only about 20% of the city of Kiev for an hour, but may have been an incremental step in building an attack framework.
The most striking feature of this attack was the depth of knowledge of the underlying OT protocols and the attempt to assemble a modular, scalable attack platform. The level of sophistication required to auto-discover vulnerable endpoint devices and specifically target them utilizing known OT system functions moves beyond the ‘rock breaker’ mindset into an area of finesse that will represent the reality of future attacks.
This blog intends to address some ‘common sense’ steps that can be implemented to prevent an attack like Industroyer. We will look at the structure of the attack from a sequence of events standpoint as well as by utilizing the ATT&CK for ICS framework.