Industry News

How Cyber Attackers are Targeting Industrial Machines in 2022-2023

05 January 2023


It was a unique year for big machines. In 2022, there were two new entries into what some call an “elite league of malware” — malware directed at industrial machines that run our world, from power plants to traffic lights to water.

What does it mean to have two new players in this hall of infamy, now at a total of seven? We take a look at the impacts this year, plus at what could happen in 2023.



Bombs rained down on Ukraine at the end of 2022, destroying power equipment and causing blackouts. But on April 8th, it was a cyber weapon at work trying to do the same, but in a much more surreptitious way.

Cyber attackers tried to shut off power in an unidentified region late on a Friday afternoon.

 “If they had been successful and they had inflicted critical damage, that would have meant two million people without electricity supply, when you talk about civilians, let alone, commercial and other enterprises that are stationed in this region,” said Deputy Minister Farid Safarov of the Ministry of Energy of Ukraine.

Ukrainian defenders stopped the attack before it did its damage, but also uncovered the newest member of an exclusive group: industrial malware designed to target the machines that bring cities to life and move ships, planes, gas and water.



Researchers called the new malware Industroyer 2 after the original malware, Industroyer, that did cause a power outage in Ukraine in December 2016.

“When we discover something that’s as targeted as this, it’s definitely a reason to be alert,” said Robert Lipovsky, threat intelligence researcher at security company ESET in an interview with Ampere News.

Lipovsky helped analyze Industroyer 2 and presented his team’s findings at the S4x22 industrial cybersecurity conference in Miami in April 2022. It was a slimmer version than the first Industroyer, more focused, possibly designed to weed out errors from the first time around, Lipovsky said.

“Maybe they chose that doing in a simpler fashion might be more effective,” he said.

With it, the attackers also launched wiper malware to wipe or destroy systems, cover their own tracks, and make it harder to get the power back on.

Behind both Industroyer attacks is Sandworm, a Russian military cyberattack group that has plagued Ukraine for years. Six alleged Sandworm members were indicted by the US in 2020 for alleged crimes targeting countries around the world. The U.S. offered up a $10 million dollar reward in 2022.

“I would say no, not to worry, but make sure that you have the capability of the detecting malware like this and thwarting these incidents similarly to what the Ukrainians have been able to do, because with the situation that we are in, it’s not possible to rule out where these attackers might strike next,” Lipovsky said.



Just five days after the Industroyer 2 attack, another industrial malware emerged, bringing the known total of this type of malware to seven. Researchers named this on Incontroller or Pipedream, depending on the company writing up the research.

There is little information on who found it and how, but researchers say it could have a big impact on industrial machines.

“The code’s a little cleaner. And the reality of them being able to be successful is a little higher. So, you kind of perk up a little bit. “Oh, wow!” The malware writers are getting smart,” said Ron Fabela, CTO & Co-Founder of security company SynSaber.



An April advisory from the U.S. government said Incontroller can take over and control critical devices, even allowing attackers to see a mirrored view of the control screen and run the machines from afar.

“We know that it was caught before it was deployed. As far as we know, there’s no victims of this. So, that’s a good thing,” said Chris Sistrunk, technical manager with security company Mandiant. “But we still have to analyze it and see what the impact could be. And that it could potentially cause major issues if actually this type of malware were deployed in an actual critical infrastructure situation.”

It’s very likely state sponsored, said Mandiant in a report, and “represents an exceptionally rare and dangerous cyberattack capability.”

It “can lead to a loss of safety, availability, and control of an industrial environment,” said security company Dragos, “dramatically increasing time-to-recovery, while potentially placing lives, livelihoods, and communities at risk.”

“These people are up to no good. I mean, they’re trying to get into industrial controls and do bad stuff,” said K. Reid Wightman, vulnerability analyst with Dragos. “We don’t see any evidence of what the real payload or end goal is. So, we just have no idea. But they’re looking. And to me, that’s significant.”



Researchers say both industroyer 2 and Incontroller can be re-worked and re-used for other targets.

“From a geek side, it’s always interesting to see new perspectives,” said Jori VanAntwerp, CEO & Co-Founder of SynSaber. “From an impact perspective, it’s always a little scary. Especially when it’s critical infrastructure, or even advanced manufacturing, there’s just so many physical, real-world ramifications of these types of malware, that it’s always a little scary.”



The April advisory recommends companies take steps to protect their systems, including:

  • strong passwords
  • multi-factor authentication
  • separating the industrial computers from the office computers
  • monitoring systems



Experts say attackers can’t cut off power to entire countries as you might see in the movies, and utilities are working to protect their systems, so massive industrial attacks are not likely or imminent for most people.

Even with two new members in the elite league of malware.

“It’s just something to keep aware of,” said Sistrunk. “We don’t see malware that impacts control systems very often. It’s just something that should not alarm us, we should just be aware. We don’t need to run around and scream, ‘The sky is falling!’ Because in Ukraine, it actually is falling there. They’re still being bombed to this day.”



What do experts see happening with industrial malware in 2023?

Some say attackers could re-work the malware they have, rather than create something entirely new. But the most likely attack would be simply more ransomware, the malware that takes over systems and holds them hostage.

Ransomware cases on industrial companies in 2022 include a gas pipeline in Europe, a water company in the UK, and a large tire manufacturer in the U.S.

Ransomware doesn’t usually target the industrial side of the company, like Industroyer 2 and Incontroller. It hits the office side, but it can have spillover effects into the industrial side.

“Ransomware having direct or indirect disruption of industrial processes will continue to be the largest risk for industrial companies in 2023,” said Fabela.