T0809 Data Destruction
Adversaries may perform data destruction over the course of an operation. The adversary may drop or create malware, tools, or other non-native files on a target system to accomplish this, potentially leaving behind traces of malicious activities. Such non-native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post-intrusion cleanup process. 1
Data destruction may also be used to render operator interfaces unable to respond and to disrupt response functions from occurring as expected. An adversary may also destroy data backups that are vital to recovery after an incident.
Standard file deletion commands are available on most operating system and device interfaces to perform cleanup, but adversaries may use other tools as well. Two examples are Windows Sysinternals SDelete and Active@ Killdisk.
| Item | Value |
|---|---|
| ID | T0809 |
| Sub-techniques | |
| Tactics | TA0107 |
| Platforms | Control Server, Field Controller/RTU/PLC/IED, Human-Machine Interface |
| Version | 1.0 |
| Created | 21 May 2020 |
| Last Modified | 19 September 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1045 | INCONTROLLER | INCONTROLLER can wipe the memory of Omron PLCs and reset settings through the remote HTTP service.756 |
| S0604 | Industroyer | Industroyer has a destructive wiper that overwrites all ICS configuration files across the hard drives and all mapped network drives specifically targeting ABB PCM600 configuration files. 3 |
| S0607 | KillDisk | KillDisk is able to delete system files to make the system unbootable and targets 35 different types of files for deletion. 4 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0953 | Data Backup | Utilize central storage servers for critical operations where possible (e.g., historians) and keep remote backups. For outstations, use local redundant storage for event recorders. Have backup control system platforms, preferably as hot-standbys to respond immediately to data destruction events. 2 |
| M0926 | Privileged Account Management | Minimize permissions and access for service accounts to limit the information that may be impacted by malicious users or software. 2 |
| M0922 | Restrict File and Directory Permissions | Protect files stored locally with proper permissions to limit opportunities for adversaries to impact data storage. 2 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0022 | File | File Deletion |
| DS0009 | Process | Process Creation |
References
-
Enterprise ATT&CK 2018, January 11 File Deletion Retrieved. 2018/05/17 ↩
-
National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ↩↩↩
-
Dragos Inc. 2017, June 13 Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations Retrieved. 2017/09/18 ↩
-
Anton Cherepanov BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry Retrieved. 2019/10/29 ↩
-
DRAGOS. (2022, April 13). Pipedream: Chernovite’s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022. ↩
-
Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30. ↩
-
Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022. ↩