T0882 Theft of Operational Information
Adversaries may steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations. This information may include design documents, schedules, rotational data, or similar artifacts that provide insight on operations. In the Bowman Dam incident, adversaries probed systems for operational data. 1 2
| Item | Value |
|---|---|
| ID | T0882 |
| Sub-techniques | |
| Tactics | TA0105 |
| Platforms | None |
| Version | 1.0 |
| Created | 21 May 2020 |
| Last Modified | 09 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1000 | ACAD/Medre.A | ACAD/Medre.A can collect AutoCad files with drawings. These drawings may contain operational information. 7 |
| S0038 | Duqu | Duqu‘s purpose is to gather intelligence data and assets from entities such as industrial infrastructure and system manufacturers, amongst others not in the industrial sector, in order to more easily conduct a future attack against another third party.9 |
| S0143 | Flame | Flame can collect AutoCAD design data and visio diagrams as well as other documents that may contain operational information. 8 |
| S0496 | REvil | REvil sends exfiltrated data from the victims system using HTTPS POST messages sent to the C2 system. 5 6 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0803 | Data Loss Prevention | Apply DLP to protect the confidentiality of information related to operational processes, facility locations, device configurations, programs, or databases that may have information that can be used to infer organizational trade-secrets, recipes, and other intellectual property (IP). |
| M0941 | Encrypt Sensitive Information | Encrypt any operational data with strong confidentiality requirements, including organizational trade-secrets, recipes, and other intellectual property (IP). |
| M0809 | Operational Information Confidentiality | Example mitigations could include minimizing its distribution/storage or obfuscating the information (e.g., facility coverterms, codenames). In many cases this information may be necessary to support critical engineering, maintenance, or operational functions, therefore, it may not be feasible to implement. |
| M0922 | Restrict File and Directory Permissions | Protect files stored locally with proper permissions to limit opportunities for adversaries to interact and collect information from databases. 3 4 |
References
-
Mark Thompson 2016, March 24 Iranian Cyber Attack on New York Dam Shows Future of War Retrieved. 2019/11/07 ↩
-
Danny Yadron 2015, December 20 Iranian Hackers Infiltrated New York Dam in 2013 Retrieved. 2019/11/07 ↩
-
Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ↩
-
National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ↩
-
McAfee Labs 2019, October 02 McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service What The Code Tells Us Retrieved. 2021/04/12 ↩
-
SecureWorks 2019, September 24 REvil/Sodinokibi Ransomware Retrieved. 2021/04/12 ↩
-
ESET ACAD/Medre.A: 10000s of AutoCAD Designs Leaked in Suspected Industrial Espionage Retrieved. 2021/04/13 ↩
-
Kevin Savage and Branko Spasojevic W32.Flamer Retrieved. 2019/11/03 ↩
-
Symantec W32.Duqu The precursor to the next Stuxnet Retrieved. 2019/11/03 ↩