-
Notifications
You must be signed in to change notification settings - Fork 258
/
mitre-ics-tactics.json
278 lines (278 loc) · 27 KB
/
mitre-ics-tactics.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
{
"authors": [
"MITRE"
],
"category": "tactic",
"description": "A list of all 11 tactics in ATT&CK for ICS",
"name": "Tactics",
"source": "https://collaborate.mitre.org/attackics/index.php/All_Tactics",
"type": "mitre-ics-tactics",
"uuid": "ae92140f-7816-45b6-aa7c-9ff3e8536f10",
"values": [
{
"description": "The adversary is trying to gather data of interest and domain knowledge on your ICS environment to inform their goal. Collection consists of techniques adversaries use to gather domain knowledge and obtain contextual feedback in an ICS environment. This tactic is often performed as part of Discovery, to compile data on control systems and targets of interest that may be used to follow through on the adversary’s objective. Examples of these techniques include observing operation states, capturing screenshots, identifying unique device roles, and gathering system and diagram schematics. Collection of this data can play a key role in planning, executing, and even revising an ICS-targeted attack. Methods of collection depend on the categories of data being targeted, which can include protocol specific, device specific, and process specific configurations and functionality. Information collected may pertain to a combination of system, supervisory, device, and network related data, which conceptually fall under high, medium, and low levels of plan operations. For example, information repositories on plant data at a high level or device specific programs at a low level. Sensitive floor plans, vendor device manuals, and other refs may also be at risk and exposed on the internet or otherwise publicly accessible.",
"meta": {
"Techniques in this Tactics Category": [
"Automated Collection https://collaborate.mitre.org/attackics/index.php/Technique/T802",
"Data from Information Repositories https://collaborate.mitre.org/attackics/index.php/Technique/T811",
"Detect Operating Mode https://collaborate.mitre.org/attackics/index.php/Technique/T868",
"Detect Program State https://collaborate.mitre.org/attackics/index.php/Technique/T870",
"I/O Image https://collaborate.mitre.org/attackics/index.php/Technique/T877",
"Location Identification https://collaborate.mitre.org/attackics/index.php/Technique/T825",
"Monitor Process State https://collaborate.mitre.org/attackics/index.php/Technique/T801",
"Point & Tag Identification https://collaborate.mitre.org/attackics/index.php/Technique/T861",
"Program Upload https://collaborate.mitre.org/attackics/index.php/Technique/T845",
"Role Identification https://collaborate.mitre.org/attackics/index.php/Technique/T850",
"Screen Capture https://collaborate.mitre.org/attackics/index.php/Technique/T852"
],
"refs": [
"https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC.pdf",
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf",
"http://www.research.lancs.ac.uk/portal/files/196578358/sample_sigconf.pdf",
"https://www.us-cert.gov/ncas/alerts/TA17-293A"
]
},
"uuid": "834fab50-be52-4611-95b6-6330d1db65c2",
"value": "Collection"
},
{
"description": "The adversary is trying to communicate with and control compromised systems, controllers, and platforms with access to your ICS environment. Command and Control consists of techniques that adversaries use to communicate with and send commands to compromised systems, devices, controllers, and platforms with specialized applications used in ICS environments. Examples of these specialized communication devices include human machine interfaces (HMIs), data historians, SCADA servers, and engineering workstations (EWS). Adversaries often seek to use commonly available resources and mimic expected network traffic to avoid detection and suspicion. For instance, commonly used ports and protocols in ICS environments, and even expected IT resources, depending on the target network. Command and Control may be established to varying degrees of stealth, often depending on the victim’s network structure and defenses.",
"meta": {
"Techniques in this Tactics Category": [
"Commonly Used Port https://collaborate.mitre.org/attackics/index.php/Technique/T885",
"Connection Proxy https://collaborate.mitre.org/attackics/index.php/Technique/T884",
"Standard Application Layer Protocol https://collaborate.mitre.org/attackics/index.php/Technique/T869"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1090"
]
},
"uuid": "4fd3b7b1-6d05-4cab-8182-6ea52ecbde63",
"value": "Command and Control"
},
{
"description": "The adversary is trying to figure out your ICS environment. Discovery consists of techniques that adversaries use to survey your ICS environment and gain knowledge about the internal network, control system devices, and how their processes interact. These techniques help adversaries observe the environment and determine next steps for target selection and Lateral Movement. They also allow adversaries to explore what they can control and gain insight on interactions between various control system processes. Discovery techniques are often an act of progression into the environment which enable the adversary to orient themselves before deciding how to act. Adversaries may use Discovery techniques that result in Collection, to help determine how available resources benefit their current objective. A combination of native device communications and functions, and custom tools are often used toward this post-compromise information-gathering objective.",
"meta": {
"Techniques in this Tactics Category": [
"Control Device Identification https://collaborate.mitre.org/attackics/index.php/Technique/T808",
"I/O Module Discovery https://collaborate.mitre.org/attackics/index.php/Technique/T824",
"Network Connection Enumeration https://collaborate.mitre.org/attackics/index.php/Technique/T840",
"Network Service Scanning https://collaborate.mitre.org/attackics/index.php/Technique/T841",
"Network Sniffing https://collaborate.mitre.org/attackics/index.php/Technique/T842",
"Remote System Discovery https://collaborate.mitre.org/attackics/index.php/Technique/T846",
"Serial Connection Enumeration https://collaborate.mitre.org/attackics/index.php/Technique/T854"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1049",
"https://attack.mitre.org/wiki/Technique/T1040",
"https://attack.mitre.org/wiki/Technique/T1018"
]
},
"uuid": "021d9d90-a792-4b84-a9f8-892b11c7db55",
"value": "Discovery"
},
{
"description": "The adversary is trying to avoid being detected.Evasion consists of techniques that adversaries use to avoid detection by both human operators and technical defenses throughout their compromise. Techniques used for evasion include removal of indicators of compromise, spoofing communications and reporting, and exploiting software vulnerabilities. Adversaries may also leverage and abuse trusted devices and processes to hide their activity, possibly by masquerading as master devices or native software. Methods of defense and operator evasion for this purpose are often more passive in nature, as opposed to Inhibit Response Function techniques. They may also vary depending on whether the target of evasion is human or technological in nature, such as security controls. Techniques under other tactics are cross-listed to evasion when those techniques include the added benefit of subverting operators and defenses. ",
"meta": {
"Techniques in this Tactics Category": [
"Exploitation for Evasion https://collaborate.mitre.org/attackics/index.php/Technique/T820",
"Indicator Removal on Host https://collaborate.mitre.org/attackics/index.php/Technique/T872",
"Masquerading https://collaborate.mitre.org/attackics/index.php/Technique/T849",
"Rogue Master Device https://collaborate.mitre.org/attackics/index.php/Technique/T848",
"Rootkit https://collaborate.mitre.org/attackics/index.php/Technique/T851",
"Spoof Reporting Message https://collaborate.mitre.org/attackics/index.php/Technique/T856",
"Utilize/Change Operating Mode https://collaborate.mitre.org/attackics/index.php/Technique/T858"
],
"refs": [
"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf",
"https://attack.mitre.org/wiki/Technique/T1014",
"http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"
]
},
"uuid": "099fdd9a-8894-4599-8e7f-59e82e285df6",
"value": "Evasion"
},
{
"description": "The adversary is trying to run malicious code. Execution consists of techniques that result in adversary-controlled code running on a local or remote system, device, or other asset. This execution may also rely on unknowing end users or the manipulation of device operating modes to run. Adversaries may infect remote targets with programmed executables or malicious project files that operate according to specified behavior and may alter expected device behavior in subtle ways. Commands for execution may also be issued from command-line interfaces, APIs, GUIs, or other available interfaces. Techniques that run malicious code may also be paired with techniques from other tactics, particularly to aid network Discovery and Collection, impact operations, and inhibit response functions.",
"meta": {
"Techniques in this Tactics Category": [
"Change Program State https://collaborate.mitre.org/attackics/index.php/Technique/T875",
"Command-Line Interface https://collaborate.mitre.org/attackics/index.php/Technique/T807",
"Execution through API https://collaborate.mitre.org/attackics/index.php/Technique/T871",
"Graphical User Interface https://collaborate.mitre.org/attackics/index.php/Technique/T823",
"Man in the Middle https://collaborate.mitre.org/attackics/index.php/Technique/T830",
"Program Organization Units https://collaborate.mitre.org/attackics/index.php/Technique/T844",
"Project File Infection https://collaborate.mitre.org/attackics/index.php/Technique/T873",
"Scripting https://collaborate.mitre.org/attackics/index.php/Technique/T853",
"User Execution https://collaborate.mitre.org/attackics/index.php/Technique/T863"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1059",
"https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf",
"https://www.sans.org/reading-room/whitepapers/ICS/man-in-the-middle-attack-modbus-tcp-illustrated-wireshark-38095",
"http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258",
"http://www.dee.ufrj.br/controle_automatico/cursos/IEC61131-3_Programming_Industrial_Automation_Systems.pdf",
"https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6560_PracticalApplications_MW_20120224_Web.pdf?v=20151125-003051",
"https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf",
"https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf",
"https://infosys.beckhoff.com/english.php?content=../content/1033/tc3_sourcecontrol/18014398915785483.html&id=",
"http://www.plcdev.com/book/export/html/373",
"https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf",
"https://www.f-secure.com/weblog/archives/00002718.html"
]
},
"uuid": "7779ec85-b841-44b8-9c5e-9c9d670a3938",
"value": "Execution"
},
{
"description": "The adversary is trying to manipulate, interrupt, or destroy your ICS systems, data, and their surrounding environment. Impact consists of techniques that adversaries use to disrupt, compromise, destroy, and manipulate the integrity and availability of control system operations, processes, devices, and data. These techniques encompass the influence and effects resulting from adversarial efforts to attack the ICS environment or that tangentially impact it. Impact techniques can result in more instantaneous disruption to control processes and the operator, or may result in more long term damage or loss to the ICS environment and related operations. The adversary may leverage Impair Process Control techniques, which often manifest in more self-revealing impacts on operations, or Inhibit Response Function techniques to hinder safeguards and alarms in order to follow through with and provide cover for Impact. In some scenarios, control system processes can appear to function as expected, but may have been altered to benefit the adversary’s goal over the course of a longer duration. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach. Loss of Productivity and Revenue, Theft of Operational Information, and Damage to Property are meant to encompass some of the more granular goals of adversaries in targeted and untargeted attacks. These techniques in and of themselves are not necessarily detectable, but the associated adversary behavior can potentially be mitigated and/or detected.",
"meta": {
"Techniques in this Tactics Category": [
"Damage to Property https://collaborate.mitre.org/attackics/index.php/Technique/T879",
"Denial of Control https://collaborate.mitre.org/attackics/index.php/Technique/T813",
"Denial of View https://collaborate.mitre.org/attackics/index.php/Technique/T815",
"Loss of Availability https://collaborate.mitre.org/attackics/index.php/Technique/T826",
"Loss of Control https://collaborate.mitre.org/attackics/index.php/Technique/T827",
"Loss of Productivity and Revenue https://collaborate.mitre.org/attackics/index.php/Technique/T828",
"Loss of Safety https://collaborate.mitre.org/attackics/index.php/Technique/T880",
"Loss of View https://collaborate.mitre.org/attackics/index.php/Technique/T829",
"Manipulation of Control https://collaborate.mitre.org/attackics/index.php/Technique/T831",
"Manipulation of View https://collaborate.mitre.org/attackics/index.php/Technique/T832",
"Theft of Operational Information https://collaborate.mitre.org/attackics/index.php/Technique/T882"
],
"refs": [
"https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2014.pdf?__blob=publicationFile&v=3",
"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf",
"https://www.londonreconnections.com/2017/hacked-cyber-security-railways/",
"https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/",
"https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html",
"https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf",
"https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297",
"https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false",
"https://time.com/4270728/iran-cyber-attack-dam-fbi/",
"https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559"
]
},
"uuid": "40c9594e-ae8b-48f1-8e11-0e08ead4d44b",
"value": "Impact"
},
{
"description": "The adversary is trying to manipulate, disable, or damage physical control processes. Impair Process Control consists of techniques that adversaries use to disrupt control logic and cause determinantal effects to processes being controlled in the target environment. Targets of interest may include active procedures or parameters that manipulate the physical environment. These techniques can also include prevention or manipulation of reporting elements and control logic. If an adversary has modified process functionality, then they may also obfuscate the results, which are often self-revealing in their impact on the outcome of a product or the environment. The direct physical control these techniques exert may also threaten the safety of operators and downstream users, which can prompt response mechanisms. Adversaries may follow up with or use Inhibit Response Function techniques in tandem, to assist with the successful abuse of control processes to result in Impact.",
"meta": {
"Techniques in this Tactics Category": [
"Brute Force I/O https://collaborate.mitre.org/attackics/index.php/Technique/T806",
"Change Program State https://collaborate.mitre.org/attackics/index.php/Technique/T875",
"Masquerading https://collaborate.mitre.org/attackics/index.php/Technique/T849",
"Modify Control Logic https://collaborate.mitre.org/attackics/index.php/Technique/T833",
"Modify Parameter https://collaborate.mitre.org/attackics/index.php/Technique/T836",
"Module Firmware https://collaborate.mitre.org/attackics/index.php/Technique/T839",
"Program Download https://collaborate.mitre.org/attackics/index.php/Technique/T843",
"Rogue Master Device https://collaborate.mitre.org/attackics/index.php/Technique/T848",
"Service Stop https://collaborate.mitre.org/attackics/index.php/Technique/T881",
"Spoof Reporting Message https://collaborate.mitre.org/attackics/index.php/Technique/T856",
"Unauthorized Command Message https://collaborate.mitre.org/attackics/index.php/Technique/T855"
],
"refs": [
"https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf",
"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf",
"https://www.researchgate.net/publication/228849043_Leveraging_ethernet_card_vulnerabilities_in_field_devices",
"https://attack.mitre.org/techniques/T1489/",
"http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258",
"https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf"
]
},
"uuid": "aa3913db-52ce-4856-b0db-fce6af13e4d6",
"value": "Impair Process Control"
},
{
"description": "The adversary is trying to manipulate, disable, or damage physical control processes. Impair Process Control consists of techniques that adversaries use to disrupt control logic and cause determinantal effects to processes being controlled in the target environment. Targets of interest may include active procedures or parameters that manipulate the physical environment. These techniques can also include prevention or manipulation of reporting elements and control logic. If an adversary has modified process functionality, then they may also obfuscate the results, which are often self-revealing in their impact on the outcome of a product or the environment. The direct physical control these techniques exert may also threaten the safety of operators and downstream users, which can prompt response mechanisms. Adversaries may follow up with or use Inhibit Response Function techniques in tandem, to assist with the successful abuse of control processes to result in Impact.",
"meta": {
"Techniques in this Tactics Category": [
"Activate Firmware Update Mode https://collaborate.mitre.org/attackics/index.php/Technique/T800",
"Alarm Suppression https://collaborate.mitre.org/attackics/index.php/Technique/T878",
"Block Command Message https://collaborate.mitre.org/attackics/index.php/Technique/T803",
"Block Reporting Message https://collaborate.mitre.org/attackics/index.php/Technique/T804",
"Block Serial COM https://collaborate.mitre.org/attackics/index.php/Technique/T805",
"Data Destruction https://collaborate.mitre.org/attackics/index.php/Technique/T809",
"Denial of Service https://collaborate.mitre.org/attackics/index.php/Technique/T814",
"Device Restart/Shutdown https://collaborate.mitre.org/attackics/index.php/Technique/T816",
"Manipulate I/O Image https://collaborate.mitre.org/attackics/index.php/Technique/T835",
"Modify Alarm Settings https://collaborate.mitre.org/attackics/index.php/Technique/T838",
"Modify Control Logic https://collaborate.mitre.org/attackics/index.php/Technique/T833",
"Program Download https://collaborate.mitre.org/attackics/index.php/Technique/T843",
"Rootkit https://collaborate.mitre.org/attackics/index.php/Technique/T851",
"System Firmware https://collaborate.mitre.org/attackics/index.php/Technique/T857",
"Utilize/Change Operating Mode https://collaborate.mitre.org/attackics/index.php/Technique/T858"
],
"refs": [
"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf",
"https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf",
"http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258",
"https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf",
"https://attack.mitre.org/wiki/Technique/T1107",
"https://www.us-cert.gov/ics/alerts/ICS-ALERT-17-102-01A",
"https://ics-cert.us-cert.gov/advisories/ICSA-15-202-01",
"http://cwe.mitre.org/data/definitions/400.html",
"https://nvd.nist.gov/vuln/detail/CVE-2015-5374",
"https://www.isa.org/standards-and-publications/isa-publications/intech/2010/december/programmable-logic-controller-hardware/",
"https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf",
"https://attack.mitre.org/wiki/Technique/T1014",
"http://www.sciencedirect.com/science/article/pii/S1874548213000231"
]
},
"uuid": "35bf4454-d73b-43ff-8a38-85342f595009",
"value": "Inhibit Response Function"
},
{
"description": "The adversary is trying to get into your ICS environment. Initial Access consists of techniques that adversaries may use as entry vectors to gain an initial foothold within an ICS environment. These techniques include compromising operational technology assets, IT resources in the OT network, and external remote services and websites. They may also target third party entities and users with privileged access. In particular, these initial access footholds may include devices and communication mechanisms with access to and privileges in both the IT and OT environments. IT resources in the OT environment are also potentially vulnerable to the same attacks as enterprise IT systems. Trusted third parties of concern may include vendors, maintenance personnel, engineers, external integrators, and other outside entities involved in expected ICS operations. Vendor maintained assets may include physical devices, software, and operational equipment. Initial access techniques may also leverage outside devices, such as radios, controllers, or removable media, to remotely interfere with and possibly infect OT operations. ",
"meta": {
"Techniques in this Tactics Category": [
"Data Historian Compromise https://collaborate.mitre.org/attackics/index.php/Technique/T810",
"Drive-by Compromise https://collaborate.mitre.org/attackics/index.php/Technique/T817",
"Engineering Workstation Compromise https://collaborate.mitre.org/attackics/index.php/Technique/T818",
"Exploit Public-Facing Application https://collaborate.mitre.org/attackics/index.php/Technique/T819",
"External Remote Services https://collaborate.mitre.org/attackics/index.php/Technique/T822",
"Internet Accessible Device https://collaborate.mitre.org/attackics/index.php/Technique/T883",
"Replication Through Removable Media https://collaborate.mitre.org/attackics/index.php/Technique/T847",
"Spearphishing Attachment https://collaborate.mitre.org/attackics/index.php/Technique/T865",
"Supply Chain Compromise https://collaborate.mitre.org/attackics/index.php/Technique/T862",
"Wireless Compromise https://collaborate.mitre.org/attackics/index.php/Technique/T860"
],
"refs": [
"https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf",
"https://www.us-cert.gov/ncas/alerts/TA18-074A",
"https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B",
"https://attack.mitre.org/wiki/Technique/T1133",
"https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf",
"https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/",
"https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01",
"https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html",
"https://www.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Jan-April2014.pdf",
"https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559",
"https://time.com/4270728/iran-cyber-attack-dam-fbi/",
"https://www.kkw-gundremmingen.de/presse.php?id=571",
"https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/malware-discovered-in-german-nuclear-power-plant",
"https://www.reuters.com/article/us-nuclearpower-cyber-germany/german-nuclear-plant-infected-with-computer-viruses-operator-says-idUSKCN0XN2OS",
"https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml",
"https://www.sciencealert.com/multiple-computer-viruses-have-been-discovered-in-this-german-nuclear-plant",
"https://www.geek.com/apps/german-nuclear-plant-found-riddled-with-conficker-other-viruses-1653415/",
"https://arstechnica.com/information-technology/2016/04/german-nuclear-plants-fuel-rod-system-swarming-with-old-malware/",
"https://www.darkreading.com/endpoint/german-nuclear-power-plant-infected-with-malware/d/d-id/1325298",
"https://www.bbc.com/news/technology-36158606",
"https://www.welivesecurity.com/2016/04/28/malware-found-german-nuclear-power-plant/",
"https://attack.mitre.org/techniques/T1193/",
"https://www.f-secure.com/weblog/archives/00002718.html",
"https://www.blackhat.com/docs/us-14/materials/us-14-Bolshev-ICSCorsair-How-I-Will-PWN-Your-ERP-Through-4-20mA-Current-Loop-WP.pdf",
"https://www.slideshare.net/dgpeters/17-bolshev-1-13",
"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf",
"https://www.londonreconnections.com/2017/hacked-cyber-security-railways/",
"https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/",
"https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html"
]
},
"uuid": "2366ffb0-91ba-4b8e-bfad-d460c98d43a8",
"value": "Initial Access"
}
],
"version": 1
}