JUST RELEASED: ATT&CK for Industrial Control Systems

Equation

Equation is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives. [1]

ID: G0020
Version: 1.1
Created: 31 May 2017
Last Modified: 31 January 2019

Techniques Used

Domain ID Name Use
Enterprise T1109 Component Firmware

Equation is known to have the capability to overwrite the firmware on hard drives from some manufacturers.[1]

Enterprise T1480 Execution Guardrails

Equation has been observed utilizing environmental keying in payload delivery.[2][1]

Enterprise T1120 Peripheral Device Discovery

Equation has used tools with the functionality to search for specific information about the attached hard drive that could be used to identify and overwrite the firmware.[1]

References