Software is a generic term for custom or commercial code, operating system utilities, open-source software, or other tools used to conduct behavior modeled in ATT&CK for ICS. Some instances of software have multiple names associated with the same instance due to various organizations tracking the same set of software by different names. Software entries are tagged with ATT&CK for ICS techniques and may be mapped to Groups.
This is the list of 19 software items tracked in ATT&CK for ICS:
|Software Name||Associated Software||Description|
|ACAD/Medre.A||ACAD/Medre.A||ACAD/Medre.A is a worm that steals operational information. The worm collects AutoCAD files with drawings. ACAD/Medre.A has the capability to be used for industrial espionage.1|
|Backdoor.Oldrea is a Remote Access Trojan (RAT) that communicates with a Command and Control (C2) server. The C2 server can deploy payloads that provide additional functionality. One payload has been identified and analyzed that enumerates all connected network resources, such as computers or shared resources, and uses the classic DCOM-based (Distributed Component Object Model) version of the Open Platform Communications (OPC) standard to gather information about connected control system devices and resources within the network.23456789|
|Bad Rabbit||Bad Rabbit|
|Bad Rabbit is a self-propagating (“wormable”) ransomware that affected the transportation sector in Ukraine.10|
|BlackEnergy 3||BlackEnergy 3||BlackEnergy 3 is a malware toolkit that has been used by both criminal and APT actors. It support various plug-ins including a variant of KillDisk. It is known to have been used against the Ukrainian power grid.11|
|Conficker is a computer worm that targets Microsoft Windows and was first detected in November 2008. It targets a vulnerability (MS08-067) in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet. Conficker made its way onto computers and removable disk drives in a nuclear power plant.12|
|Duqu||Duqu||Duqu is a collection of computer malware discovered in 2011. It is reportedly related to the Stuxnet worm, although Duqu is not self-replicating.13|
|EKANS is ransomware that was first seen December 2019 and later reported to have impacted operations at Honda automotive production facilities.141516 EKANS has a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy historian, Honeywell HMIWeb).16 If the malware discovers these processes on the target system, it will stop, encrypt, and rename the process to prevent the program from restarting. This malware should not be confused with the “Snake” malware associated with the Turla group. The ICS processes documented within the malware’s kill-list is similar to those defined by the MEGACORTEXT software.171819 The ransomware was initially reported as “Snake”, however, to avoid confusion with the unrelated Turla APT group security researchers spelled it backwards as EKANS.|
|Flame is an attacker-instructed worm which may open a backdoor and steal information from a compromised computer. Flame has the capability to be used for industrial espionage.20|
|Industroyer is a sophisticated piece of malware designed to cause an Impact to the working processes of Industrial Control Systems (ICS), specifically ICSs used in electrical substations.21 Industroyer was alleged to be used in the attacks on the Ukrainian power grid in December 2016.22232425|
|KillDisk||KillDisk||In 2015 the BlackEnergy malware contained a component called KillDisk. KillDisk's main functionality is to overwrite files with random data, rendering the OS unbootable.26|
|LockerGoga||LockerGoga||LockerGoga is ransomware that has been tied to various attacks on industrial and manufacturing firms with apparently catastrophic consequences.272829|
|NotPetya||NotPetya||NotPetya is malware that was first seen in a worldwide attack starting on June 27, 2017. The main purpose of the malware appeared to be to effectively destroy data and disk structures on compromised systems. Though NotPetya presents itself as a form of ransomware, it appears likely that the attackers never intended to make the encrypted data recoverable. As such, NotPetya may be more appropriately thought of as a form of wiper malware. NotPetya contains self-propagating (“wormable”) features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.30|
|PLC-Blaster||PLC-Blaster||PLC-Blaster is a piece of proof-of-concept malware that runs on Siemens S7 PLCs. This worm locates other Siemens S7 PLCs on the network and attempts to infect them. Once this worm has infected its target and attempted to infect other devices on the network, the worm can then run one of many modules.3132|
|REvil is a Ransomware-as-a-Service (RAAS) malware that was first seen in 2019 and has targeted organizations in the manufacturing, transportation, and electric sector.333435 While the ransomware does not have a specific tailoring towards ICS platforms or architectures, if deployed on an ICS system it can exfiltrate data for later extortion and then encrypt sensitive files.|
|Ryuk||Ryuk||Ryuk is ransomware that was first seen targeting large organizations for high-value ransoms in August of 2018. Ryuk temporarily disrupted operations at a manufacturing firm in 2018.36|
|Stuxnet||Stuxnet||Stuxnet was the first publicly reported piece of malware to specifically target industrial control systems devices. Stuxnet is a large and complex piece of malware that utilized multiple different complex tactics including multiple zero-day vulnerabilites, a sophisticated Windows rootkit, and network infection routines.37383940|
|Triton is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.41424344454647|
|VPNFilter||VPNFilter||VPNFilter is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations. VPNFilter modules such as its packet sniffer ('ps') can collect traffic that passes through an infected device, allowing the theft of website credentials and monitoring of Modbus SCADA protocols.4849|
|WannaCry||WannaCry||WannaCry is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains self-propagating (“wormable”) features to spread itself across a computer network using the SMBv1 exploit EternalBlue.5051|
- ESET. (n.d.). ACAD/Medre.A: 10000‘s of AutoCAD Designs Leaked in Suspected Industrial Espionage. Retrieved April 13, 2021.
- ICS-CERT. (2018, August 22). Advisory (ICSA-14-178-01). Retrieved April 1, 2019.
- ICS-CERT. (2018, August 22). Alert (ICS-ALERT-14-176-02A). Retrieved April 1, 2019.
- Daavid Hentunen, Antti Tikkanen. (2014, June 23). Havex Hunts For ICS/SCADA Systems. Retrieved April 1, 2019.
- Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell. (2015, December 08). A Quantitative Evaluation of the Target Selection of Havex ICS Malware Plugin. Retrieved April 1, 2019.
- Kyle Wilhoit. (2014, July 17). Havex, It’s Down With OPC. Retrieved October 22, 2019.
- Symantec. (2014, June 30). Dragonfly: Western Energy Companies Under Sabotage Threat. Retrieved October 22, 2019.
- Kyle Wilhoit. (n.d.). ICS Malware: Havex and Black Energy. Retrieved October 22, 2019.
- Nell Nelson. (2016, January 18). The Impact of Dragonfly Malware on Industrial Control Systems. Retrieved October 22, 2019.
- Marc-Etienne M.Léveillé. (2017, October 24). Bad Rabbit: Not‑Petya is back with improved ransomware. Retrieved October 27, 2019.
- Booz Allen Hamilton. (n.d.). When The Lights Went Out. Retrieved October 22, 2019.
- Catalin Cimpanu. (2016, April 26). Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary. Retrieved October 14, 2019.
- Symantec. (n.d.). W32.Duqu The precursor to the next Stuxnet. Retrieved November 3, 2019.
- Davey Winder. (2020, June 10). Honda Hacked: Japanese Car Giant Confirms Cyber Attack On Global Operations. Retrieved April 12, 2021.
- MalwareBytes. (2020, June 09). Honda and Enel impacted by cyber attack suspected to be ransomware. Retrieved April 12, 2021.
- Dragos Threat Intelligence. (2020, February 03). EKANS Ransomware and ICS Operations. Retrieved April 12, 2021.
- Nathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt. (2020, July 15). Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families. Retrieved April 12, 2021.
- Joe Slowik. (2020, January 28). Getting the Story Right, and Why It Matters. Retrieved April 12, 2021.
- Joe Slowik. (2020, June 18). EKANS Ransomware Misconceptions and Misunderstandings. Retrieved April 12, 2021.
- Kevin Savage and Branko Spasojevic. (n.d.). W32.Flamer. Retrieved November 3, 2019.
- Anton Cherepanov, ESET. (2017, June 12). Win32/Industroyer: A new threat for industrial control systems. Retrieved September 15, 2017.
- Dragos Inc.. (2017, June 13). Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations. Retrieved September 18, 2017.
- CISA. (2017, June 12). Alert (TA17-163A). Retrieved October 22, 2019.
- Dragos. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved October 14, 2019.
- Joe Slowik. (2019, August 15). CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack. Retrieved October 22, 2019.
- Anton Cherepanov. (n.d.). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved October 29, 2019.
- Andy Greenberg. (n.d.). A Guide to LockerGoga, the Ransomware Crippling Industrial Firms. Retrieved October 31, 2019.
- Kevin Beaumont. (n.d.). How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business. Retrieved October 16, 2019.
- Hydro. (n.d.). Retrieved October 16, 2019.
- Enterprise ATT&CK. (n.d.). NotPetya. Retrieved November 3, 2019.
- Spenneberg, Ralf, Maik Brüggemann, and Hendrik Schwartke. (2016, March 31). Plc-blaster: A worm living solely in the plc.. Retrieved September 19, 2017.
- Spenneberg, Ralf. (2016). PLC-Blaster. Retrieved June 6, 2019.
- Kaspersky ICS CERT. (2020, September 24). Threat landscape for industrial automation systems. H1 2020. Retrieved April 12, 2021.
- Ionut Ilascu. (2019, July 16). Ryuk, Sodinokibi Ransomware Responsible for Higher Average Ransoms. Retrieved April 12, 2021.
- Selena Larson, Camille Singleton. (2020, December). RANSOMWARE IN ICS ENVIRONMENTS. Retrieved April 12, 2021.
- Alexander Hanel. (n.d.). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved November 3, 2019.
- Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.
- Jarrad Shearer. (n.d.). W32.Stuxnet Writeup. Retrieved October 22, 2019.
- CISA. (2014, January 08). Stuxnet Malware Mitigation (Update B). Retrieved October 22, 2019.
- Joel Langill. (2014, January 21). Stuxnet Mitigation. Retrieved October 22, 2019.
- Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure. Retrieved January 12, 2018.
- Dragos. (2017, December 13). TRISIS Malware Analysis of Safety System Targeted Malware. Retrieved January 12, 2018.
- DHS CISA. (2019, February 27). MAR-17-352-01 HatMan—Safety System Targeted Malware (Update B). Retrieved March 8, 2019.
- Schneider Electric. (2018, January 23). TRITON - Schneider Electric Analysis and Disclosure. Retrieved March 14, 2019.
- Julian Gutmanis. (2019, March 11). Triton - A Report From The Trenches. Retrieved March 11, 2019.
- Schneider Electric. (2018, December 14). Security Notification - EcoStruxure Triconex Tricon V3. Retrieved August 26, 2019.
- Jos Wetzels. (2018, January 16). Analyzing the TRITON industrial malware. Retrieved October 22, 2019.
- William Largent. (2018, June 06). VPNFilter Update - VPNFilter exploits endpoints, targets new devices. Retrieved March 28, 2019.
- Carl Hurd. (2019, March 26). VPNFilter Deep Dive. Retrieved March 28, 2019.
- Enterprise ATT&CK. (n.d.). WannaCry. Retrieved November 3, 2019.
- CISA. (2017, May 12). Alert (TA17-132A). Retrieved October 31, 2019.