{"description": "ICS techniques used by Industroyer, ATT&CK software S0604 (v1.1)", "name": "Industroyer (S0604)", "domain": "ics-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T0800", "comment": "The [Industroyer](https://attack.mitre.org/software/S0604) SIPROTEC DoS module places the victim device into firmware update mode. This is a legitimate use case under normal circumstances, but in this case is used the adversary to prevent the SIPROTEC from performing its designed protective functions. As a result the normal safeguards are disabled, leaving an unprotected link in the electric transmission. (Citation: Joe Slowik August 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0802", "comment": "[Industroyer](https://attack.mitre.org/software/S0604) automatically collects protocol object data to learn about control devices in the environment. (Citation: Anton Cherepanov, ESET June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0803", "comment": "In [Industroyer](https://attack.mitre.org/software/S0604) the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device. (Citation: Anton Cherepanov, ESET June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0804", "comment": "[Industroyer](https://attack.mitre.org/software/S0604) uses the first COM port from the configuration file for the communication and the other two COM ports are opened to prevent other processes accessing them. This may block processes or operators from getting reporting messages from a device. (Citation: Anton Cherepanov, ESET June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0805", "comment": "In [Industroyer](https://attack.mitre.org/software/S0604) the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device. (Citation: Anton Cherepanov, ESET June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0806", "comment": "The [Industroyer](https://attack.mitre.org/software/S0604) IEC 104 module has 3 modes available to perform its attack. These modes are range, shift, and sequence. The range mode operates in 2 stages. The first stage of range mode gathers Information Object Addresses (IOA) and sends select and execute packets to switch the state. The second stage of range mode has an infinite loop where it will switch the state of all of the previously discovered IOAs. Shift mode is similar to range mode, but instead of staying within the same range, it will add a shift value to the default range values. (Citation: Anton Cherepanov, ESET June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0807", "comment": "The name of the [Industroyer](https://attack.mitre.org/software/S0604) payload DLL is supplied by the attackers via a command line parameter supplied in one of the main backdoors execute a shell command commands. (Citation: Anton Cherepanov, ESET June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0884", "comment": "[Industroyer](https://attack.mitre.org/software/S0604) attempts to connect with a hardcoded internal proxy on TCP 3128 [default Squid proxy]. If established, the backdoor attempts to reach an external C2 server via the internal proxy. (Citation: Dragos Inc. June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0809", "comment": "[Industroyer](https://attack.mitre.org/software/S0604) has a destructive wiper that overwrites all ICS configuration files across the hard drives and all mapped network drives specifically targeting ABB PCM600 configuration files. (Citation: Dragos Inc. June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0813", "comment": "[Industroyer](https://attack.mitre.org/software/S0604) is able to block serial COM channels temporarily causing a denial of control. (Citation: Anton Cherepanov, ESET June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0814", "comment": "The [Industroyer](https://attack.mitre.org/software/S0604) SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. Once this vulnerability is successfully exploited, the target device stops responding to any commands until it is rebooted manually. (Citation: Anton Cherepanov, ESET June 2017) Once the tool is executed it sends specifically crafted packets to port 50,000 of the target IP addresses using UDP. The UDP packet contains the following 18 byte payload: 0x11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E. (Citation: Anton Cherepanov, ESET June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0815", "comment": "[Industroyer](https://attack.mitre.org/software/S0604) is able to block serial COM channels temporarily causing a denial of view. (Citation: Anton Cherepanov, ESET June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0816", "comment": "The [Industroyer](https://attack.mitre.org/software/S0604) SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. While the vulnerability does not directly cause the restart or shutdown of the device, the device must be restarted manually before it can resume operations. (Citation: Anton Cherepanov, ESET June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0827", "comment": "[Industroyer](https://attack.mitre.org/software/S0604)'s data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable. (Citation: Anton Cherepanov, ESET June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0837", "comment": "[Industroyer](https://attack.mitre.org/software/S0604) contained a module which leveraged a vulnerability in the Siemens SIPROTEC relays (CVE-2015-5374) to create a Denial of Service against automated protective relays. (Citation: Joe Slowik August 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0829", "comment": "[Industroyer](https://attack.mitre.org/software/S0604)'s data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable. (Citation: Anton Cherepanov, ESET June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0831", "comment": "[Industroyer](https://attack.mitre.org/software/S0604) toggles breakers to the open state utilizing unauthorized command messages. (Citation: Anton Cherepanov, ESET June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0832", "comment": "[Industroyer](https://attack.mitre.org/software/S0604)'s OPC module can brute force values and will send out a 0x01 status which for the target systems equates to a Primary Variable Out of Limits misdirecting operators from understanding protective relay status. (Citation: Anton Cherepanov, ESET June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0801", "comment": "[Industroyer](https://attack.mitre.org/software/S0604)'s OPC and IEC 61850 protocol modules include the ability to send stVal requests to read the status of operational variables. (Citation: Anton Cherepanov, ESET June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0840", "comment": "[Industroyer](https://attack.mitre.org/software/S0604) contains an IEC 61850 module that enumerates all connected network adapters to determine their TCP/IP subnet masks. (Citation: Anton Cherepanov, ESET June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0846", "comment": "The [Industroyer](https://attack.mitre.org/software/S0604) IEC 61850 payload component has the ability to discover relevant devices in the infected host's network subnet by attempting to connect on port 102.(Citation: Anton Cherepanov, ESET June 2017)\n\n[Industroyer](https://attack.mitre.org/software/S0604) contains an OPC DA module that enumerates all OPC servers using the `ICatInformation::EnumClassesOfCategories` method with `CATID_OPCDAServer20` category identifier and `IOPCServer::GetStatus` to identify the ones running.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0888", "comment": "The [Industroyer](https://attack.mitre.org/software/S0604) IEC 61850 component sends the domain-specific MMSgetNameList request to determine what logical nodes the device supports. It then searches the logical nodes for the CSW value, which indicates the device performs a circuit breaker or switch control function.(Citation: ESET Industroyer)\n\n[Industroyer](https://attack.mitre.org/software/S0604)'s OPC DA module also uses IOPCBrowseServerAddressSpace to look for items with the following strings: ctlSelOn, ctlOperOn, ctlSelOff, ctlOperOff, Pos and stVal.(Citation: ESET Industroyer)\n\n[Industroyer](https://attack.mitre.org/software/S0604) IEC 60870-5-104 module includes a range mode to discover Information Object Addresses (IOAs) by enumerating through each.(Citation: ESET Industroyer)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0881", "comment": "[Industroyer](https://attack.mitre.org/software/S0604) has the capability to stop a service itself, or to login as a user and stop a service as that user. (Citation: Anton Cherepanov, ESET June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0855", "comment": "Using its protocol payloads, [Industroyer](https://attack.mitre.org/software/S0604) sends unauthorized commands to RTUs to change the state of equipment. (Citation: Anton Cherepanov, ESET June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Industroyer", "color": "#66b1ff"}]}