cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f.json

{
    "type": "bundle",
    "id": "bundle--bd059675-85da-44b7-9626-4cd8b56df0c2",
    "spec_version": "2.0",
    "objects": [
        {
            "modified": "2023-03-30T19:09:43.744Z",
            "name": "Data from Information Repositories",
            "description": "Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of information repositories include reference databases in the process environment, as well as databases in the corporate network that might contain information about the ICS.(Citation: Cybersecurity & Infrastructure Security Agency March 2018)\n\nInformation collected from these systems may provide the adversary with a better understanding of the operational environment, vendors used, processes, or procedures of the ICS.\n\nIn a campaign between 2011 and 2013 against ONG organizations, Chinese state-sponsored actors searched document repositories for specific information such as, system manuals, remote terminal unit (RTU) sites, personnel lists, documents that included the string SCAD*, user credentials, and remote dial-up access information. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-ics-attack",
                    "phase_name": "collection"
                }
            ],
            "x_mitre_deprecated": false,
            "x_mitre_detection": "",
            "x_mitre_domains": [
                "ics-attack"
            ],
            "x_mitre_is_subtechnique": false,
            "x_mitre_platforms": [
                "Data Historian"
            ],
            "x_mitre_version": "1.2",
            "x_mitre_data_sources": [
                "Application Log: Application Log Content",
                "Logon Session: Logon Session Creation",
                "Network Share: Network Share Access"
            ],
            "type": "attack-pattern",
            "id": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f",
            "created": "2020-05-21T17:43:26.506Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/techniques/T0811",
                    "external_id": "T0811"
                },
                {
                    "source_name": "Cybersecurity & Infrastructure Security Agency March 2018",
                    "description": "Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ",
                    "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-074A"
                },
                {
                    "source_name": "CISA AA21-201A Pipeline Intrusion July 2021",
                    "description": "Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08 ",
                    "url": "https://us-cert.cisa.gov/sites/default/files/publications/AA21-201A_Chinese_Gas_Pipeline_Intrusion_Campaign_2011_to_2013%20(1).pdf"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "x_mitre_attack_spec_version": "3.1.0",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
        }
    ]
}