Software is a generic term for custom or commercial code, operating system utilities, open-source software, or other tools used to conduct behavior modeled in ATT&CK for ICS. Some instances of software have multiple names associated with the same instance due to various organizations tracking the same set of software by different names. Software entries are tagged with ATT&CK for ICS techniques and may be mapped to Groups.
This is the list of 17 software items tracked in ATT&CK for ICS:
|Software Name||Associated Software||Description|
|ACAD/Medre.A||ACAD/Medre.A||ACAD/Medre.A is a worm that steals operational information. The worm collects AutoCAD files with drawings. ACAD/Medre.A has the capability to be used for industrial espionage.|
|Backdoor.Oldrea is a Remote Access Trojan (RAT) that communicates with a Command and Control (C2) server. The C2 server can deploy payloads that provide additional functionality. One payload has been identified and analyzed that enumerates all connected network resources, such as computers or shared resources, and uses the classic DCOM-based (Distributed Component Object Model) version of the Open Platform Communications (OPC) standard to gather information about connected control system devices and resources within the network.12345678|
|Bad Rabbit||Bad Rabbit|
|Bad Rabbit is a self-propagating (“wormable”) ransomware that affected the transportation sector in Ukraine.9|
|BlackEnergy 3||BlackEnergy 3||BlackEnergy 3 is a malware toolkit that has been used by both criminal and APT actors. It support various plug-ins including a variant of KillDisk. It is known to have been used against the Ukrainian power grid.10|
|Conficker is a computer worm that targets Microsoft Windows and was first detected in November 2008. It targets a vulnerability (MS08-067) in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet. Conficker made its way onto computers and removable disk drives in a nuclear power plant.11|
|Duqu||Duqu||Duqu is a collection of computer malware discovered in 2011. It is reportedly related to the Stuxnet worm, although Duqu is not self-replicating.12|
|Flame is an attacker-instructed worm which may open a backdoor and steal information from a compromised computer. Flame has the capability to be used for industrial espionage.13|
|Industroyer is a sophisticated piece of malware designed to cause an Impact to the working processes of Industrial Control Systems (ICS), specifically ICSs used in electrical substations.14 Industroyer was alleged to be used in the attacks on the Ukrainian power grid in December 2016.15161718|
|KillDisk||KillDisk||In 2015 the BlackEnergy malware contained a component called KillDisk. KillDisk's main functionality is to overwrite files with random data, rendering the OS unbootable.19|
|LockerGoga||LockerGoga||LockerGoga is ransomware that has been tied to various attacks on industrial and manufacturing firms with apparently catastrophic consequences.202122|
|NotPetya||NotPetya||NotPetya is malware that was first seen in a worldwide attack starting on June 27, 2017. The main purpose of the malware appeared to be to effectively destroy data and disk structures on compromised systems. Though NotPetya presents itself as a form of ransomware, it appears likely that the attackers never intended to make the encrypted data recoverable. As such, NotPetya may be more appropriately thought of as a form of wiper malware. NotPetya contains self-propagating (“wormable”) features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.23|
|PLC-Blaster||PLC-Blaster||PLC-Blaster is a piece of proof-of-concept malware that runs on Siemens S7 PLCs. This worm locates other Siemens S7 PLCs on the network and attempts to infect them. Once this worm has infected its target and attempted to infect other devices on the network, the worm can then run one of many modules.2425|
|Ryuk||Ryuk||Ryuk is ransomware that was first seen targeting large organizations for high-value ransoms in August of 2018. Ryuk temporarily disrupted operations at a manufacturing firm in 2018.26|
|Stuxnet||Stuxnet||Stuxnet was the first publicly reported piece of malware to specifically target industrial control systems devices. Stuxnet is a large and complex piece of malware that utilized multiple different complex tactics including multiple zero-day vulnerabilites, a sophisticated Windows rootkit, and network infection routines.27282930|
|Triton is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.31323334353637|
|VPNFilter||VPNFilter||VPNFilter is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations. VPNFilter modules such as its packet sniffer ('ps') can collect traffic that passes through an infected device, allowing the theft of website credentials and monitoring of Modbus SCADA protocols.3839|
|WannaCry||WannaCry||WannaCry is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains self-propagating (“wormable”) features to spread itself across a computer network using the SMBv1 exploit EternalBlue.4041|
- ICS-CERT. (2018, August 22). Advisory (ICSA-14-178-01). Retrieved April 1, 2019.
- ICS-CERT. (2018, August 22). Alert (ICS-ALERT-14-176-02A). Retrieved April 1, 2019.
- Daavid Hentunen, Antti Tikkanen. (2014, June 23). Havex Hunts For ICS/SCADA Systems. Retrieved April 1, 2019.
- Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell. (2015, December 08). A Quantitative Evaluation of the Target Selection of Havex ICS Malware Plugin. Retrieved April 1, 2019.
- Kyle Wilhoit. (2014, July 17). Havex, It’s Down With OPC. Retrieved October 22, 2019.
- Symantec. (2014, June 30). Dragonfly: Western Energy Companies Under Sabotage Threat. Retrieved October 22, 2019.
- Kyle Wilhoit. (n.d.). ICS Malware: Havex and Black Energy. Retrieved October 22, 2019.
- Nell Nelson. (2016, January 18). The Impact of Dragonfly Malware on Industrial Control Systems. Retrieved October 22, 2019.
- Marc-Etienne M.Léveillé. (2017, October 24). Bad Rabbit: Not‑Petya is back with improved ransomware. Retrieved October 27, 2019.
- Booz Allen Hamilton. (n.d.). When The Lights Went Out. Retrieved October 22, 2019.
- Catalin Cimpanu. (2016, April 26). Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary. Retrieved October 14, 2019.
- Symantec. (n.d.). W32.Duqu The precursor to the next Stuxnet. Retrieved November 3, 2019.
- Kevin Savage and Branko Spasojevic. (n.d.). W32.Flamer. Retrieved November 3, 2019.
- Anton Cherepanov, ESET. (2017, June 12). Win32/Industroyer: A new threat for industrial control systems. Retrieved September 15, 2017.
- Dragos Inc.. (2017, June 13). Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations. Retrieved September 18, 2017.
- CISA. (2017, June 12). Alert (TA17-163A). Retrieved October 22, 2019.
- Dragos. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved October 14, 2019.
- Joe Slowik. (2019, August 15). CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack. Retrieved October 22, 2019.
- Anton Cherepanov. (n.d.). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved October 29, 2019.
- Andy Greenberg. (n.d.). A Guide to LockerGoga, the Ransomware Crippling Industrial Firms. Retrieved October 31, 2019.
- Kevin Beaumont. (n.d.). How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business. Retrieved October 16, 2019.
- Hydro. (n.d.). Retrieved October 16, 2019.
- Enterprise ATT&CK. (n.d.). NotPetya. Retrieved November 3, 2019.
- Spenneberg, Ralf, Maik Brüggemann, and Hendrik Schwartke. (2016, March 31). Plc-blaster: A worm living solely in the plc.. Retrieved September 19, 2017.
- Spenneberg, Ralf. (2016). PLC-Blaster. Retrieved June 6, 2019.
- Alexander Hanel. (n.d.). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved November 3, 2019.
- Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.
- Jarrad Shearer. (n.d.). W32.Stuxnet Writeup. Retrieved October 22, 2019.
- CISA. (2014, January 08). Stuxnet Malware Mitigation (Update B). Retrieved October 22, 2019.
- Joel Langill. (2014, January 21). Stuxnet Mitigation. Retrieved October 22, 2019.
- Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure. Retrieved January 12, 2018.
- Dragos. (2017, December 13). TRISIS Malware Analysis of Safety System Targeted Malware. Retrieved January 12, 2018.
- DHS CISA. (2019, February 27). MAR-17-352-01 HatMan—Safety System Targeted Malware (Update B). Retrieved March 8, 2019.
- Schneider Electric. (2018, January 23). TRITON - Schneider Electric Analysis and Disclosure. Retrieved March 14, 2019.
- Julian Gutmanis. (2019, March 11). Triton - A Report From The Trenches. Retrieved March 11, 2019.
- Schneider Electric. (2018, December 14). Security Notification - EcoStruxure Triconex Tricon V3. Retrieved August 26, 2019.
- Jos Wetzels. (2018, January 16). Analyzing the TRITON industrial malware. Retrieved October 22, 2019.
- William Largent. (2018, June 06). VPNFilter Update - VPNFilter exploits endpoints, targets new devices. Retrieved March 28, 2019.
- Carl Hurd. (2019, March 26). VPNFilter Deep Dive. Retrieved March 28, 2019.
- Enterprise ATT&CK. (n.d.). WannaCry. Retrieved November 3, 2019.
- CISA. (2017, May 12). Alert (TA17-132A). Retrieved October 31, 2019.