{"description": "ICS techniques used by 2025 Poland Wiper Attacks, ATT&CK campaign C0063 (v1.0)", "name": "2025 Poland Wiper Attacks (C0063)", "domain": "ics-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T0892", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries changed the login password of Moxa NPort Serial Device Servers to impede system recovery.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0807", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries executed PowerShell commands on the Human Machine Interface (HMI) to make configuration changes that enabled administrative shares and created a new firewall rule to enable traffic over port 445 as well as conducted network reconnaissance activities.(Citation: CERT Polska)\n\nDuring the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries executed PowerShell commands on the domain controller that collected and exfiltrated the SAM and SYSTEM registry hives and the Active Directory database (ntds.dit).(Citation: CERT Polska)\n\nDuring the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries logged into the Mikronika RTUs via SSH, with root privileges, and executed Linux commands to delete all the files on the system resulting in device failure.(Citation: CERT Polska)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0885", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries enabled TCP port 445 on Mikronika HMI devices creating a new firewall rule named \u201cMicrosoft Update\u201d.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0809", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used DynoWiper and built-in commands to destroy data on Mikronika RTUs, Hitachi Relion Protection and Control Relays (IEDs), and HMI workstations.(Citation: CERT Polska)\n\nDuring the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used LazyWiper to destroy data at a manufacturing sector company.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0816", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries corrupted the firmware in the Hitachi RTUs resulting in a fault that triggered a reboot loop.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0822", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries gained initial access by compromising Fortinet edge devices. (Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0823", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used a graphical user interface (GUI) via the Remote Desktop Protocol (RDP) to access the Mikronika HMI and to execute commands.(Citation: CERT Polska)\n\nDuring the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used a graphical user interface (GUI) to connect to the domain controller via the Remote Desktop Protocol (RDP) to collect and exfiltrate data and attempt to destroy data on the system.(Citation: CERT Polska)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1694", "showSubtechniques": true}, {"techniqueID": "T1694.001", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used default credentials to access Hitatchi RTUs, Mikronika RTUs, Hitachi Relion Protection and Control Relays, Mikronika HMI Computers, and Moxa NPort Serial Device Servers.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T0827", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries damaged the Mikronika RTUs, Hitachi Relion Protection and Control Relays (IEDs), and HMI workstations resulting in a loss of communications and control between the facility and the distribution system operators (DSO).(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0829", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries wiped devices and also damaged Mikronika RTUs, Hitachi Relion Protection and Control Relays (IEDs), and HMI workstations resulting in a loss of communications and view between the facility and the distribution system operators (DSO).(Citation: CERT Polska)(Citation: Dragos ELECTRUM JAN 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1693", "showSubtechniques": true}, {"techniqueID": "T1693.001", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries corrupted the firmware in the Hitachi RTUs resulting in a fault that triggered a reboot loop.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T0840", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used `netstat` to enumerate network connections on the Mikronika HMI computers.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0886", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries gained initial access to the operational technology via the compromised Fortinet edge devices, and used used SSH, RDP, and SMB/Windows Admin Shares to connect to remote systems and execute commands.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0846", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used `nslookup` and `ping` to conduct remote system discovery activities.(Citation: CERT Polska)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T0846.001", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used Advanced Port Scanner and Advanced IP Scanner to conduct remote system discovery activities.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T0846.002", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used `arp` to conduct remote system discovery activities.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T0888", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries remotely executed commands on systems using [PsExec](https://attack.mitre.org/software/S0029) to gather information about running processes, network connections, routing tables, ARP cache, and contents of user directories.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0852", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used the `nircmd` utility to capture screenshots of systems.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0882", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries stole sensitive operational information that was used to plan the attack on the operational technology systems.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0859", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used valid accounts to access Hitatchi RTUs, Mikronika RTUs, Hitachi Relion Protection and Control Relays, Mikronika HMI Computers, and Moxa NPort Serial Device Servers.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by 2025 Poland Wiper Attacks", "color": "#66b1ff"}]}