Replication Through Removable Media (T0847)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • Replication Through Removable Media

Associated Tactics

  • Initial Access

Initial Access (TA0108)

The adversary is trying to get into your ICS environment. Initial Access consists of techniques that adversaries may use as entry vectors to gain an initial foothold within an ICS environment. These techniques include compromising operational technology assets, IT resources in the OT network, and external remote services and websites. They may also target third party entities and users with privileged access. In particular, these initial access footholds may include devices and communication mechanisms with access to and privileges in both the IT and OT environments. IT resources in the OT environment are also potentially vulnerable to the same attacks as enterprise IT systems. Trusted third parties of concern may include vendors, maintenance personnel, engineers, external integrators, and other outside entities involved in expected ICS operations. Vendor maintained assets may include physical devices, software, and operational equipment. Initial access techniques may also leverage outside devices, such as radios, controllers, or removable media, to remotely interfere with and possibly infect OT operations.

View on ATT&CK

Procedure Examples

Description Source(s)
BBC 2016, April 28 German nuclear plant hit by computer viruses Retrieved. 2019/10/14 BBC April 2016
Catalin Cimpanu 2016, April 26 Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary Retrieved. 2019/10/14 Catalin Cimpanu April 2016
Christoph Steitz, Eric Auchard 2016, April 26 German nuclear plant infected with computer viruses, operator says Retrieved. 2019/10/14 Christoph Steitz, Eric Auchard April 2016
Dark Reading Staff 2016, April 28 German Nuclear Power Plant Infected With Malware Retrieved. 2019/10/14 Dark Reading Staff April 2016
ESET 2016, April 28 Malware found at a German nuclear power plant Retrieved. 2019/10/14 ESET April 2016
Kernkraftwerk Gundremmingen 2016, April 25 Detektion von Bro-Schadsoftware an mehreren Rechnern Retrieved. 2019/10/14 Kernkraftwerk Gundremmingen April 2016
Lee Mathews 2016, April 27 German nuclear plant found riddled with Conficker, other viruses Retrieved. 2019/10/14 Lee Mathews April 2016
Peter Dockrill 2016, April 28 Multiple Computer Viruses Have Been Discovered in This German Nuclear Plant Retrieved. 2019/10/14 Peter Dockrill April 2016
Sean Gallagher 2016, April 27 German nuclear plants fuel rod system swarming with old malware Retrieved. 2019/10/14 Sean Gallagher April 2016
Trend Micro 2016, April 27 Malware Discovered in German Nuclear Power Plant Retrieved. 2019/10/14 Trend Micro April 2016