ICS Software  H  Tactics  Techniques  Technique Matrix  Software  Groups 

This is the list of 17 software items tracked in ATT&CK for ICS:

Software NameAssociated SoftwareDescription
ACAD/Medre.AACAD/Medre.AACAD/Medre.A is a worm that steals operational information. The worm collects AutoCAD files with drawings. ACAD/Medre.A has the capability to be used for industrial espionage.
Backdoor.OldreaHavex
Backdoor.Oldrea
Backdoor.Oldrea is a Remote Access Trojan (RAT) that communicates with a Command and Control (C2) server. The C2 server can deploy payloads that provide additional functionality. One payload has been identified and analyzed that enumerates all connected network resources, such as computers or shared resources, and uses the classic DCOM-based (Distributed Component Object Model) version of the Open Platform Communications (OPC) standard to gather information about connected control system devices and resources within the network.12345678
Bad RabbitBad Rabbit
Diskcoder.D
Bad Rabbit is a self-propagating (“wormable”) ransomware that affected the transportation sector in Ukraine.9
BlackEnergy 3BlackEnergy 3BlackEnergy 3 is a malware toolkit that has been used by both criminal and APT actors. It support various plug-ins including a variant of KillDisk. It is known to have been used against the Ukrainian power grid.10
ConfickerConficker
Downadup
Kido
Conficker is a computer worm that targets Microsoft Windows and was first detected in November 2008. It targets a vulnerability (MS08-067) in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet. Conficker made its way onto computers and removable disk drives in a nuclear power plant.11
DuquDuquDuqu is a collection of computer malware discovered in 2011. It is reportedly related to the Stuxnet worm, although Duqu is not self-replicating.12
FlameFlamer
Flame
sKyWIper
Flame is an attacker-instructed worm which may open a backdoor and steal information from a compromised computer. Flame has the capability to be used for industrial espionage.13
IndustroyerCRASHOVERRIDE
Industroyer
Industroyer is a sophisticated piece of malware designed to cause an Impact to the working processes of Industrial Control Systems (ICS), specifically ICSs used in electrical substations.14 Industroyer was alleged to be used in the attacks on the Ukrainian power grid in December 2016.15161718
KillDiskKillDiskIn 2015 the BlackEnergy malware contained a component called KillDiskKillDisk's main functionality is to overwrite files with random data, rendering the OS unbootable.19
LockerGogaLockerGogaLockerGoga is ransomware that has been tied to various attacks on industrial and manufacturing firms with apparently catastrophic consequences.202122
NotPetyaNotPetyaNotPetya is malware that was first seen in a worldwide attack starting on June 27, 2017. The main purpose of the malware appeared to be to effectively destroy data and disk structures on compromised systems. Though NotPetya presents itself as a form of ransomware, it appears likely that the attackers never intended to make the encrypted data recoverable. As such, NotPetya may be more appropriately thought of as a form of wiper malware. NotPetya contains self-propagating (“wormable”) features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.23
PLC-BlasterPLC-BlasterPLC-Blaster is a piece of proof-of-concept malware that runs on Siemens S7 PLCs. This worm locates other Siemens S7 PLCs on the network and attempts to infect them. Once this worm has infected its target and attempted to infect other devices on the network, the worm can then run one of many modules.2425
RyukRyukRyuk is ransomware that was first seen targeting large organizations for high-value ransoms in August of 2018. Ryuk temporarily disrupted operations at a manufacturing firm in 2018.26
StuxnetStuxnetStuxnet was the first publicly reported piece of malware to specifically target industrial control systems devices. Stuxnet is a large and complex piece of malware that utilized multiple different complex tactics including multiple zero-day vulnerabilites, a sophisticated Windows rootkit, and network infection routines.27282930
TritonTriton
TRISIS
HatMan
Triton is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.31323334353637
VPNFilterVPNFilterVPNFilter is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations. VPNFilter modules such as its packet sniffer ('ps') can collect traffic that passes through an infected device, allowing the theft of website credentials and monitoring of Modbus SCADA protocols.3839
WannaCryWannaCryWannaCry is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains self-propagating (“wormable”) features to spread itself across a computer network using the SMBv1 exploit EternalBlue.