Evolution of ICS Malware
From chainsaw of power poles to Industroyer

As in the past most power outages have been determined by severe weather conditions, short-cuts or human errors some of them can be considered “engineered” attack, as were caused by malicious actors using explosions or more easily, by cutting with a chainsaw several critical power pole.

If looking exactly what is meant by a “cyber threat” exist multiple definitions, but they all have a common underlying message:  unauthorized access to a system or loss of confidentiality, integrity, and/or availability of the system, data, or applications.

As history, we can consider first recorded “hacking”  from 1902 launched against the Marconi Wireless Telegraph and continuing through time, some of these human destructive actions could be considered first attacks related to integrity and availability of power systems like explosions from Florida in 1969 or Utah in 1981 or chainsaw attack from Miami in 1985 .

The history of cyberattacks is nearly as long and as brief as the history of interconnected digital technology. Early home and office computers find themselves being infected by computer virus mostly transmitted through shared floppy disks. The potential for an infection by a virus would only grow as computers became networked. The earliest attacks begin to take shape using common Internet applications like e-mail to propagate malicious code from computer-to-computer. Breaking into computers continues as does breaking into webpages for the purposes of defacing them. Much of the early activity is focused on misguided fun, early hacktivism, or for notoriety.

Energy is seen as the second infrastructure that could be attacked and malicious cyber activities on ICS computers are considered an “extremely dangerous threat”, because they could potentially cause material losses and production downtime in the operation of industrial facilities, which can include systems that form part of countries’ critical national infrastructure.

New tools were developed, first related ICS malware became knew in 2010, when Stuxnet was among the most sophisticated malware known at the time. It infected control system networks and was believed by some to have damaged as many as one-fifth of the nuclear centrifuges in Iran. What made Stuxnet so dangerous was that it self-replicated and spread throughout multiple systems via multiple paths like LANs, SMB, Siemens WinCC HMI and Siemens Step 7. Stuxnet exploited some unpatched Microsoft vulnerabilities, that were provided base for self-replication and an escalation of privileges. Stuxnet was a precision weapon that looked for exact software to be installed on and specific equipment to be connected to a system. If it did find the proper configuration it was looking for, it modified and sabotaged the code on Siemens PLCs by injecting ladder logic code directly into them. If it did not find all of these things, it self-terminated.

As a key lesson learned from Stuxnet is that a well-financed sophisticated threat actor can likely attack any system that it desires.

Starting from that point of time, numerous variants and new malware were developed and used like:

  • 2010 Malware Night Dragon
    • Attackers used sophisticated malware to target global oil, energy, and petrochemical companies.
  • 2011 Malware Duqu
    • Advanced and complex malware used to target specific organizations, including ICS manufacturers.
  • 2012 Malware Shamoon
    • Malware used to target large energy companies in the Middle East, including Saudi Aramco and RasGas.
  • 2013 Malware Havex
    • An focused malware campaign used as part of a widespread espionage campaign targeting ICS environments across numerous industries. It scanned infected systems to locate SCADA or ICS devices on the network and sent data back to the attackers.

What is important is that in 2014 a new modified malware called Black Energy 2 derived from an IT malware were designed for targeting human-machine interface (HMI) software from multiple vendors, like GE,  Advantech and Siemens and was successfully used in the cyberattack that took down the Ukrainian power grid in Dec 2015 and exfiltrated a lot of sensitive data.

This opened the way for next generation of modular specialized malware and in 2016 appear Crash Override/Industroyer, the first known malware designed to attack electric grid systems. This was used in the Dec 2016 for hacking a major substation in the Ukraine. What makes Crash Override so sophisticated is its ability to use the same protocols that individual electric grid systems rely on to communicate with one another, sometimes called control-plane protocols.


This project has received funding from the European Union’s Horizon 2020 research and Innovation programme under grant agreement N°832989. All information on this website reflects only the authors’ view. The Agency and the Commission are not responsible for any use that may be made of the information this website contains.

Sign up to our newsletter