Center for Threat-Informed Defense

Version 18.0 19.0

Software : ICS ATT&CK Changelog

Modified Software

Description

LockerGoga is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.[1][2]

References:

  1. Harbison, M. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019.
  2. CarbonBlack Threat Analysis Unit. (2019, March 22). TAU Threat Intelligence Notification – LockerGoga Ransomware. Retrieved April 16, 2019.
Details
Values Changed
FIELD OLD VALUE NEW VALUE
modified 2023-10-17 20:05:34.648000+00:00 2026-04-22 22:21:12.036000+00:00
x_mitre_attack_spec_version 3.2.0 3.3.0
x_mitre_version 2.0 2.1

Modified Description View changes side-by-side
[Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex piece of malware that utilized multiple different behaviors behaviors, including multiple numerous zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)
Details
Values Changed
FIELD OLD VALUE NEW VALUE
modified 2025-01-02 19:40:26.678000+00:00 2026-04-24 02:36:25.135000+00:00
description [Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) [Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex malware that utilized multiple behaviors, including numerous zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)
x_mitre_attack_spec_version 3.2.0 3.3.0
x_mitre_version 1.4 1.5

Description

Industroyer is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.[1] Industroyer was used in the attacks on the Ukrainian power grid in December 2016.[2] This is the first publicly known malware specifically designed to target and impact operations in the electric grid.[3]

References:

  1. Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.
  2. Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020.
  3. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
Details
Values Changed
FIELD OLD VALUE NEW VALUE
modified 2024-04-11 16:06:34.700000+00:00 2026-04-23 14:11:53.057000+00:00
x_mitre_attack_spec_version 3.2.0 3.3.0
x_mitre_version 1.1 1.2

Description

PLC-Blaster is a piece of proof-of-concept malware that runs on Siemens S7 PLCs. This worm locates other Siemens S7 PLCs on the network and attempts to infect them. Once this worm has infected its target and attempted to infect other devices on the network, the worm can then run one of many modules. [1] [2]

References:

  1. Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19
  2. Spenneberg, Ralf 2016 PLC-Blaster Retrieved. 2019/06/06
Details
Values Changed
FIELD OLD VALUE NEW VALUE
modified 2025-04-16 21:26:24.423000+00:00 2026-04-23 14:17:13.861000+00:00
x_mitre_attack_spec_version 3.2.0 3.3.0
x_mitre_version 1.0 1.1

Description

Triton is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.[1][2][3][4][5][6][7]

References:

  1. Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer 2017, December 14 Attackers Deploy New ICS Attack Framework TRITON and Cause Operational Disruption to Critical Infrastructure Retrieved. 2018/01/12
  2. Dragos 2017, December 13 TRISIS Malware Analysis of Safety System Targeted Malware Retrieved. 2018/01/12
  3. DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08
  4. Schneider Electric 2018, January 23 TRITON - Schneider Electric Analysis and Disclosure Retrieved. 2019/03/14
  5. Julian Gutmanis 2019, March 11 Triton - A Report From The Trenches Retrieved. 2019/03/11
  6. Schneider 2018, December 14 Security Notification EcoStruxure Triconex Tricon V3 Retrieved. 2019/03/08
  7. Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22
Details
Values Changed
FIELD OLD VALUE NEW VALUE
modified 2024-04-17 16:12:43.754000+00:00 2026-04-22 20:06:22.741000+00:00
x_mitre_attack_spec_version 3.2.0 3.3.0
x_mitre_version 1.1 1.2

Description

INCONTROLLER is custom malware that includes multiple modules tailored towards ICS devices and technologies, including Schneider Electric and Omron PLCs as well as OPC UA, Modbus, and CODESYS protocols. INCONTROLLER has the ability to discover specific devices, download logic on the devices, and exploit platform-specific vulnerabilities. As of September 2022, some security researchers assessed INCONTROLLER was developed by CHERNOVITE.[1][2][3][4][5]

References:

  1. DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.
  2. Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022.
  3. DRAGOS. (2022, April 13). Pipedream: Chernovite’s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022.
  4. Schneider Electric. (2022, April 14). Schneider Electric Security Bulletin: “APT Cyber Tools Targeting ICS/SCADA Devices” . Retrieved September 28, 2022.
  5. Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.
Details
Values Changed
FIELD OLD VALUE NEW VALUE
modified 2025-04-16 21:26:25.242000+00:00 2026-04-23 14:06:34.251000+00:00
x_mitre_attack_spec_version 3.2.0 3.3.0
x_mitre_version 1.0 1.1