Theft of Operational Information

Adversaries may steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations. This information may include design documents, schedules, rotational data, or similar artifacts that provide insight on operations. In the Bowman Dam incident, adversaries probed systems for operational data. [1] [2]

ID: T0882
Sub-techniques:  No sub-techniques
Tactic: Impact
Platforms: None
Version: 1.0
Created: 21 May 2020
Last Modified: 06 May 2022

Procedure Examples

ID Name Description
S1000 ACAD/Medre.A

ACAD/Medre.A can collect AutoCad files with drawings. These drawings may contain operational information. [3]

S0038 Duqu

Duqus purpose is to \gather intelligence data and assets from entities such as industrial infrastructure and system manufacturers, amongst others not in the industrial sector, in order to more easily conduct a future attack against another third party.\ [4]

S0143 Flame

Flame can collect AutoCAD design data and visio diagrams as well as other documents that may contain operational information. [5]

S0496 REvil

REvil sends exfiltrated data from the victims system using HTTPS POST messages sent to the C2 system. [6] [7]


ID Mitigation Description
M0803 Data Loss Prevention

Apply DLP to protect the confidentiality of information related to operational processes, facility locations, device configurations, programs, or databases that may have information that can be used to infer organizational trade-secrets, recipes, and other intellectual property (IP).

M0941 Encrypt Sensitive Information

Encrypt any operational data with strong confidentiality requirements, including organizational trade-secrets, recipes, and other intellectual property (IP).

M0809 Operational Information Confidentiality

Example mitigations could include minimizing its distribution/storage or obfuscating the information (e.g., facility coverterms, codenames). In many cases this information may be necessary to support critical engineering, maintenance, or operational functions, therefore, it may not be feasible to implement.

M0922 Restrict File and Directory Permissions

Protect files stored locally with proper permissions to limit opportunities for adversaries to interact and collect information from databases. [8] [9]