T0802 Automated Collection
Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. For example, the OPC protocol may be used to enumerate and gather information. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices.
| Item | Value |
|---|---|
| ID | T0802 |
| Sub-techniques | |
| Tactics | TA0100 |
| Platforms | Control Server, Field Controller/RTU/PLC/IED, Safety Instrumented System/Protection Relay |
| Version | 1.0 |
| Created | 21 May 2020 |
| Last Modified | 09 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0093 | Backdoor.Oldrea | Using OPC, a component of Backdoor.Oldrea gathers any details about connected devices and sends them back to the C2 for the attackers to analyze. 2 |
| S0604 | Industroyer | Industroyer automatically collects protocol object data to learn about control devices in the environment. 3 |
| S1072 | Industroyer2 | Industroyer2 leverages a hardcoded list of remote-station IP addresses to iteratively initiate communications and collect information across multiple priority IEC-104 priority levels.1 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0807 | Network Allowlists | Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support. |
| M0930 | Network Segmentation | Prevent unauthorized systems from accessing control servers or field devices containing industrial information, especially services used for common automation protocols (e.g., DNP3, OPC). |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0022 | File | File Access |
| DS0029 | Network Traffic | Network Traffic Content |
| DS0012 | Script | Script Execution |
References
-
Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023. ↩
-
Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ↩
-
Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ↩