Skip to content

T0847 Replication Through Removable Media

Adversaries may move onto systems, such as those separated from the enterprise network, by copying malware to removable media which is inserted into the control systems environment. The adversary may rely on unknowing trusted third parties, such as suppliers or contractors with access privileges, to introduce the removable media. This technique enables initial access to target devices that never connect to untrusted networks, but are physically accessible.

Operators of the German nuclear power plant, Gundremmingen, discovered malware on a facility computer not connected to the internet. 6 10 The malware included Conficker and W32.Ramnit, which were also found on eighteen removable disk drives in the facility. 3 2 8 7 9 4 The plant has since checked for infection and cleaned up more than 1,000 computers. 1 An ESET researcher commented that internet disconnection does not guarantee system safety from infection or payload execution. 5

Item Value
ID T0847
Sub-techniques
Tactics TA0108
Platforms Control Server, Data Historian, Human-Machine Interface
Version 1.0
Created 21 May 2020
Last Modified 09 March 2023

Procedure Examples

ID Name Description
S0608 Conficker Conficker exploits Windows drive shares. Once it has infected a computer, Conficker automatically copies itself to all visible open drive shares on other computers inside the network. 13 Nuclear power plant officials suspect someone brought in Conficker by accident on a USB thumb drive, either from home or computers found in the power plant’s facility. 2
S0603 Stuxnet Stuxnet was able to self-replicate by being spread through removable drives. A willing insider or unknown third party, such as a contractor, may have brought the removable media into the target environment. 11 The earliest version of Stuxnet relied on physical installation, infecting target systems when an infected configuration file carried by a USB stick was opened. 12

Mitigations

ID Mitigation Description
M0942 Disable or Remove Feature or Program Consider the disabling of features such as AutoRun.
M0934 Limit Hardware Installation Enforce system policies or physical restrictions to limit hardware such as USB devices on critical assets.
M0928 Operating System Configuration Harden the system through operating system controls to prevent the known or unknown use of malicious removable media.

Detection

ID Data Source Data Component
DS0016 Drive Drive Creation
DS0022 File File Access
DS0009 Process Process Creation

References

  1. BBC 2016, April 28 German nuclear plant hit by computer viruses Retrieved. 2019/10/14  

  2. Catalin Cimpanu 2016, April 26 Malware Shuts Down German Nuclear Power Plant on Chernobyl’s 30th Anniversary Retrieved. 2019/10/14  

  3. Christoph Steitz, Eric Auchard 2016, April 26 German nuclear plant infected with computer viruses, operator says Retrieved. 2019/10/14  

  4. Dark Reading Staff 2016, April 28 German Nuclear Power Plant Infected With Malware Retrieved. 2019/10/14  

  5. ESET 2016, April 28 Malware found at a German nuclear power plant Retrieved. 2019/10/14  

  6. Kernkraftwerk Gundremmingen 2016, April 25 Detektion von Bro-Schadsoftware an mehreren Rechnern Retrieved. 2019/10/14  

  7. Lee Mathews 2016, April 27 German nuclear plant found riddled with Conficker, other viruses Retrieved. 2019/10/14  

  8. Peter Dockrill 2016, April 28 Multiple Computer Viruses Have Been Discovered in This German Nuclear Plant Retrieved. 2019/10/14  

  9. Sean Gallagher 2016, April 27 German nuclear plants fuel rod system swarming with old malware Retrieved. 2019/10/14  

  10. Trend Micro 2016, April 27 Malware Discovered in German Nuclear Power Plant Retrieved. 2019/10/14  

  11. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22  

  12. Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet’s Creators Tried to Achieve. Retrieved December 7, 2020. 

  13. Symantec 2015, June 30 Simple steps to protect yourself from the Conficker Worm Retrieved. 2019/12/05