Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from Disk Content Wipe and Disk Structure Wipe because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.
Adversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)
To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).
In cloud environments, adversaries may leverage access to delete cloud storage objects, machine images, database instances, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ - Cisco Insider) Similarly, they may delete virtual machines from on-prem virtualized environments.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IAM-16 | Authorization Mechanisms | mitigates | T1485 | Data Destruction |
Comments
This control requires both CSP and CSC to independently enforce formal approval processes for user access, implement dynamic and explicit authorization mechanisms. The guidance focuses on implementing technical measures to verify authorization and prevent unauthorized access and execution.
References
|
| BCR-08 | Backup | mitigates | T1485 | Data Destruction |
Comments
Adversaries may destroy, overwrite, or delete data and files in cloud storage objects and other cloud resources. Periodically backing up data stored in the cloud; ensuring backup confidentiality, integrity, and availability; and verifying data restoration from backup provides data protection and allows for quick recovery from data destruction attacks.
References
|
| HRS-03 | Clean Desk Policy and Procedures | mitigates | T1485 | Data Destruction |
Comments
This control can help prevent adversaries attempting to destroy data and files on specific systems or in large numbers on a network through Implementing multi-factor authentication (MFA) for cloud storage resources to prevent unauthorized deletion of critical data and infrastructure.
References
|
| DSP-16 | Data Retention and Deletion | mitigates | T1485 | Data Destruction |
Comments
This control describes the shared responsibility of both the CSP and CSC for securely managing data retention, archiving, and deletion across all cloud service models. Implementation involves establishing secure tools and processes for data retention, configuring backups, enforcing retention policies, and maintaining safeguards within each party’s environment. For this technique, adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
In terms of mitigation, taking regular data backups that can be used to restore organizational data and ensuring backups are stored off system and protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery can limit the impact of this technique.
References
|
| DCS-18 | Datacenter Operations Resilience | mitigates | T1485 | Data Destruction |
Comments
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. This control establishes and regularly evaluates processes, procedures, and technical measures to ensure continuous operations of the datacenter, mitigating attacker techniques such as denial‑of‑service and other availability‑impacting attacks that seek to disrupt business and operational continuity.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1485.001 | Lifecycle-Triggered Deletion | 5 |