1. Home
  2. Techniques
  3. ICS
  4. Block Communications
  5. Ethernet

Block Communications: Ethernet

ID Name
T1695.001 Serial COM
T1695.002 Ethernet
T1695.003 Wi-Fi

Adversaries may block access to Ethernet communications to prevent instructions or configurations messages from reaching target systems and devices. Ethernet connections allow for communications between IT and OT systems and devices. Blocking Ethernet communications may also block command and reporting messages.[1]

An adversary may block Ethernet communications by disabling network interfaces, Service Stop, or conducting an Adversary-in-the-Middle attack and dropping the network traffic.

ID: T1695.002
Sub-technique of:  T1695
Version: 1.0
Created: 20 April 2026
Last Modified: 23 April 2026
Version Permalink

Procedure Examples

ID Name Description
S0372 LockerGoga

LockerGoga had blocked network communications by disabling all the network interfaces on the system via netsh.exe.[2][3][4]

Targeted Assets

ID Asset
A0008 Application Server
A0007 Control Server
A0009 Data Gateway
A0006 Data Historian
A0017 Distributed Control System (DCS) Controller
A0013 Field I/O
A0016 Firewall
A0002 Human-Machine Interface (HMI)
A0005 Intelligent Electronic Device (IED)
A0012 Jump Host
A0018 Programmable Automation Controller (PAC)
A0003 Programmable Logic Controller (PLC)
A0004 Remote Terminal Unit (RTU)
A0014 Routers
A0010 Safety Controller
A0015 Switch
A0011 Virtual Private Network (VPN) Server
A0001 Workstation

Mitigations

ID Mitigation Description
M0807 Network Allowlists

Implement network allowlists to minimize network access to only authorized hosts.
M0930 Network Segmentation

Segment operational networks to isolate critical systems and devices that do not require broad network access.
M0810 Out-of-Band Communications Channel

Ensure systems and devices have an alternative method for communicating in the event that Ethernet communication channels become unavailable.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0911 Detection of Block Ethernet AN2054

Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist, alarms may still be visible even if Ethernet messages are blocked.

Monitor for a loss of network communications, which may indicate this technique is being used.

Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique’s execution but instead may provide additional evidence that the technique has been used and may complement other detections.

Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.

Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.

References

  1. Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12
  2. Joe Slowik. (2020, March 17). Spyware Stealer Locker Wiper: LockerGoga Revisited. Retrieved April 22, 2026.
  1. Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16
  2. Oleg Kolesnikov and Harshvardhan Parashar. (2019, April 30). Detecting LockerGoga Targeted IT/OT Cyber Sabotage/Ransomware Attacks. Retrieved April 22, 2026.