This site has been deprecated in favor of and will remain in place until 11/1/22.

Replication Through Removable Media

From attackics
Jump to navigation Jump to search

To visit this technique’s new page please go to and update your links to

Replication Through Removable Media
ID T0847
Tactic Initial Access
Data Sources Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Asset Human-Machine Interface, Data Historian, Control Server


Adversaries may move onto systems, such as those separated from the enterprise network, by copying malware to removable media which is inserted into the control systems environment. The adversary may rely on unknowing trusted third parties, such as suppliers or contractors with access privileges, to introduce the removable media. This technique enables initial access to target devices that never connect to untrusted networks, but are physically accessible.

Operators of the German nuclear power plant, Gundremmingen, discovered malware on a facility computer not connected to the internet.12 The malware included Conficker and W32.Ramnit, which were also found on eighteen removable disk drives in the facility.345678 The plant has since checked for infection and cleaned up more than 1,000 computers.9 An ESET researcher commented that internet disconnection does not guarantee system safety from infection or payload execution.10

Procedure Examples

  • Conficker exploits Windows drive shares. Once it has infected a computer, Conficker automatically copies itself to all visible open drive shares on other computers inside the network.11 Nuclear power plant officials suspect someone brought in Conficker by accident on a USB thumb drive, either from home or computers found in the power plant's facility.4
  • Stuxnet was able to self-replicate by being spread through removable drives. A willing insider or unknown third party, such as a contractor, may have brought the removable media into the target environment.12 The earliest version of Stuxnet relied on physical installation, infecting target systems when an infected configuration file carried by a USB stick was opened.13


  • Limit Hardware Installation - Enforce system policies or physical restrictions to limit hardware such as USB devices on critical assets.
  • Operating System Configuration - Harden the system through operating system controls to prevent the known or unknown use of malicious removable media.