What starting position does this attack require?

The first step is Foothold in OT control centre (T1078) — a initial access primitive. Assumed environment: foothold inside an electric utility's OT segment.

What is the final impact of this kill-chain?

The final step lands on Deploy timed Industroyer2 payload (ICS-INDUSTROYER2), which falls under Impact. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

Industroyer2 IEC-104 substation hijack

Timed payload speaks IEC-60870-5-104 to substation RTUs at attacker-chosen hour; sends 'open breaker' commands across a substation, blackouts a grid section.

Filed by AD Knowledge BasePublished 2026-05-27

§ Kill-chainDrag · zoom · scroll

Initial Access

Foothold in OT control centre

T1078 · Valid Accounts

Execution

Payload fires at chosen UTC hour

T1053 · Scheduled Task/Job

Discovery

Discover IEC-104 endpoints

N-NMAP-INTERNAL · Internal Nmap Sweep

Impact

Wiper module destroys Windows controllers

T1485 · Data Destruction

Impact

Mass 'open breaker' commands

OT-ENERGY-IEC104 · IEC-104 Substation Control

Impact

Deploy timed Industroyer2 payload

ICS-INDUSTROYER2 · Industroyer2 Timed IEC-104 Sweep

§ Context

Assumed environment: foothold inside an electric utility's OT segment. Substation RTUs reachable over the corporate-grid VPN. No segmentation between the OT control centre and substations.

§ Steps

01
Foothold in OT control centreInitial Access
T1078— Valid Accounts
02
Payload fires at chosen UTC hourExecution
T1053— Scheduled Task/Job
03
Discover IEC-104 endpointsDiscovery
N-NMAP-INTERNAL— Internal Nmap Sweep
04
Wiper module destroys Windows controllersImpact
T1485— Data Destruction
05
Mass 'open breaker' commandsImpact
OT-ENERGY-IEC104— IEC-104 Substation Control
06
Deploy timed Industroyer2 payloadImpact
ICS-INDUSTROYER2— Industroyer2 Timed IEC-104 Sweep

§ References

§ Frequently asked

What is the "Industroyer2 IEC-104 substation hijack" attack path?: Timed payload speaks IEC-60870-5-104 to substation RTUs at attacker-chosen hour; sends 'open breaker' commands across a substation, blackouts a grid section. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Foothold in OT control centre (T1078) — a initial access primitive. Assumed environment: foothold inside an electric utility's OT segment.
What is the final impact of this kill-chain?: The final step lands on Deploy timed Industroyer2 payload (ICS-INDUSTROYER2), which falls under Impact. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

Industroyer2 IEC-104 substation hijack

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Trusted updater hijack → wormable destructive payload (NotPetya / M.E.Doc)

ERC-4337 paymaster sponsor drain

z/OS TN3270 → RACF userID brute → mainframe shell

Reconfigure MFP LDAP → harvest service-account credentials

HMI default credentials → operations disruption

PMKID attack → offline crack with no client interaction