Skip to main content
Mallory
Back to threat actors
2 malware familiesExploits CVEs in the wild

russian_nation_state_cyber_actors

Also known asrussian_nation_state_cyber_actors

Russian nation-state cyber actors were attributed by the U.S. Government in a July 20, 2021 update to activity involving deployment of CrashOverRide malware, also referred to in public reporting as Industroyer, in a cyberattack against Ukrainian critical infrastructure. The reported operation targeted industrial control system environments in the electric power sector in Ukraine. CrashOverRide was described as a scalable, extensible second-stage ICS attack platform that can operate independently of initial command-and-control. Reported capabilities include modules for IEC101, IEC104, and IEC61850; issuing valid commands directly to remote terminal units; rapid breaker open-close toggling; denial of service against local serial COM ports on Windows devices; scanning and mapping ICS environments including via OPC; potential exploitation of a Siemens relay denial-of-service condition requiring manual reset; and a wiper component that can render Windows systems unusable. The malware fundamentally abuses legitimate control system functionality, and the associated tactics, techniques, and procedures were assessed as adaptable to other critical infrastructure environments. No additional aliases or sub-groups were provided in the content.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

6 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

4 of 15 tactics9 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
2 techniques
T1190
Exploit Public-Facing Application
T1566
Phishing
T1566.001
Spearphishing Attachment
TA0002
Execution
1 technique
T1059
Command and Scripting Interpreter
T1059.003
Windows Command Shell
T1059.005
Visual Basic
TA0008
Lateral Movement
1 technique
T1021
Remote Services
T1021.002
SMB/Windows Admin Shares
TA0011
Command and Control
1 technique
T1105
Ingress Tool Transfer
ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
BlackEnergy"ICS-CERT has identified a sophisticated malware campaign that has compromised numerous industrial control systems (ICSs) environments using a variant of the BlackEnergy malware... can confirm that a BlackEnergy 3 variant was present in the system."1Mar 8, 2026
IndustroyerPublic reports from ESET and Dragos outlining a new, highly capable Industrial Controls Systems (ICS) attack platform that was reportedly used in 2016 against critical infrastructure in Ukraine... the CrashOverride malware is an extensible platform that could be used to target critical infrastructure sectors.1Mar 18, 2026
WEAPONIZED

Associated vulnerabilities

2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.

CVE-2014-0751Directory Traversal in GE Proficy HMI/SCADA CIMPLICITY CimWebServerIn the wildEvidence1

Analysis of victim system artifacts has determined that the actors have been exploiting a vulnerability in GE’s Cimplicity HMI product since at least January 2012. The vulnerability, CVE-2014-0751, was published in ICS‑CERT advisory ICSA-14-023-01 on January 23, 2014.

CVE-2014-4114Sandworm Windows OLE Package Manager Remote Code ExecutionIn the wildEvidence1

...a BlackEnergy-based campaign against a variety of overseas targets leveraging vulnerability CVE-2014-4114 (affecting Microsoft Windows and Windows Server 2008 and 2012). ICS-CERT has not observed the use of this vulnerability to target control system environments.

IOCS

Observables

10 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

10 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

1 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping6

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs2

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables10

Domains, IPs, and hashes tied to this actor, refreshed continuously.