Theft of Operational Information

From attackics
Revision as of 16:19, 12 April 2021 by Jsteele (talk | contribs) (Text replacement - "Mitigation=Mitigation/M10" to "Mitigation=Mitigation/M09")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Theft of Operational Information
Technique
ID T0882
Tactic Impact

Description

Adversaries may steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations. This information may include design documents, schedules, rotational data, or similar artifacts that provide insight on operations.

In the Bowman Dam incident, adversaries probed systems for operational data.12


Procedure Examples

  • Dragonfly 2.0 captured ICS vendor names, reference documents, wiring diagrams, and panel layouts about the process environment.3
  • ACAD/Medre.A can collect AutoCad files with drawings. These drawings may contain operational information.4
  • Duqu’s purpose is to "gather intelligence data and assets from entities such as industrial infrastructure and system manufacturers, amongst others not in the industrial sector, in order to more easily conduct a future attack against another third party."5
  • Flame can collect AutoCAD design data and visio diagrams as well as other documents that may contain operational information.6
  • REvil sends exfiltrated data from the victim’s system using HTTPS POST messages sent to the C2 system.78

Mitigations

  • Operational Information Confidentiality - Example mitigations could include minimizing its distribution/storage or obfuscating the information (e.g., facility coverterms, codenames). In many cases this information may be necessary to support critical engineering, maintenance, or operational functions, therefore, it may not be feasible to implement.
  • Data Loss Prevention - Apply DLP to protect the confidentiality of information related to operational processes, facility locations, device configurations, programs, or databases that may have information that can be used to infer organizational trade-secrets, recipes, and other intellectual property (IP).
  • Encrypt Sensitive Information - Encrypt any operational data with strong confidentiality requirements, including organizational trade-secrets, recipes, and other intellectual property (IP).


References

  1. ^  Mark Thompson. (2016, March 24). Iranian Cyber Attack on New York Dam Shows Future of War. Retrieved November 7, 2019.
  2. ^  Danny Yadron. (2015, December 20). Iranian Hackers Infiltrated New York Dam in 2013. Retrieved November 7, 2019.
  3. ^  Cybersecurity & Infrastructure Security Agency. (2018, March 15). Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved October 11, 2019.
  4. ^  ESET. (n.d.). ACAD/Medre.A: 10000‘s of AutoCAD Designs Leaked in Suspected Industrial Espionage. Retrieved April 13, 2021.
  5. ^  Symantec. (n.d.). W32.Duqu The precursor to the next Stuxnet. Retrieved November 3, 2019.
  1. ^  Kevin Savage and Branko Spasojevic. (n.d.). W32.Flamer. Retrieved November 3, 2019.
  2. ^  McAfee Labs. (2019, October 02). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved April 12, 2021.
  3. ^  SecureWorks. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved April 12, 2021.
  4. ^  Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.
  5. ^  National Institute of Standards and Technology. (2013, April). Security and Privacy Controls for Federal Information Systems and Organizations. Retrieved September 17, 2020.



v · d · e
Adversary Techniques
Initial Access
Execution
Persistence
Evasion
Discovery
Lateral Movement
Collection
Inhibit Response Function
Impair Process Control
Impact


Retrieved from "https://collaborate.mitre.org/attackics/index.php?title=Technique/T0882&oldid=9204"