ATT&CK knowledge base by MITRE

Secure Code Review - eliminating security gaps in your applications

ATT&CK for ICS is a comprehensive threat detection framework that provides security managers to assess and improve their security controls for ICS by MITRE Corporation. The non-profit organization has recently released an  ATT&CK for ICS knowledge base describing what actions an adversary can take while incorporating within an ICS (Industrial Control Systems) network.

There are 81 techniques available currently in ATT&CK for ICS which mentions the tactics and techniques implemented by adversaries with technical description. These techniques are accompanied by software, which includes custom or commercial code, operating system utilities, open-source software and other tools used to organize behavior modeled in ATT&CK for ICS. There is a list of 17 software tracked and are tagged in techniques as well.

A set of related intrusion activities are named by a group in the security community. MITRE mentioned that “Some groups have multiple names associated with the same set of activities due to various organizations tracking the same set of activities by different names.”

Below is the list of 10 reported groups tracked by ATT&CK for ICS:

GroupAssociated GroupsDescription
ALLANITEPalmetto Fusion

ALLANITE is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and the United Kingdom. The group’s tactics and techniques are reportedly similar to Dragonfly / Dragonfly 2.0, although ALLANITE’s technical capabilities have not exhibited disruptive or destructive abilities. It has been suggested that the group maintains a presence in ICS for the purpose of gaining understanding of processes and to maintain persistence.





APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.


Energetic Bear


Dragonfly is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems.A similar group emerged in 2015 and was identified by Symantec as Dragonfly 2.0. There is debate over the extent of the overlap between Dragonfly and Dragonfly 2.0, but there is sufficient evidence to lead to these being tracked as two separate groups.

Dragonfly 2.0Dragonfly 2.0
Beserk Bear

Dragonfly 2.0 is a suspected Russian threat group which has been active since at least late 2015. Dragonfly 2.0‘s initial reported targets were a part of the energy sector, located within the United States, Switzerland, and Turkey. There is debate over the extent of overlap between Dragonfly 2.0 and Dragonfly, but there is sufficient evidence to lead to these being tracked as two separate groups..


HEXANE is a threat group that has targeted ICS organization within the oil & gas, and telecommunications sectors. Many of the targeted organizations have been located in the Middle East including Kuwait. HEXANE‘s targeting of telecommunications has been speculated to be part of an effort to establish man-in-the-middle capabilities throughout the region. HEXANE‘s TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.

Lazarus groupGuardians of Peace
Lazarus group

Lazarus group is a suspected North Korean adversary group that has targeted networks associated with civilian electric energy in Europe, East Asia, and North America.910 Links have been established associating this group with the WannaCry ransomware from 2017. While WannaCry was not an ICS focused attack, Lazarus group is considered to be a threat to ICS. North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea. Some organizations track North Korean clusters or groups such as Bluenoroff, APT37, and APT38 separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.


Leafminer is a threat group that has targeted Saudi Arabia, Japan, Europe and the United States. Within the US, Leafminer has targeted electric utilities and initial access into those organizations. Reporting indicates that Leafminer has not demonstrated ICS specific or destructive capabilities.

APT 34

OilRig is a suspected Iranian threat group that has targeted the financial, government, energy, chemical, and telecommunications sectors as well as petrochemical, oil & gas. OilRig has been observed operating in Iraq, Pakistan, Israel, and the UK, and has been linked to the Shamoon attacks in 2012 on Saudi Aramco.


Sandworm is a threat group associated with the Kiev, Ukraine electrical transmission substation attacks which resulted in the impact of electric grid operations on December 17th, 2016.1718 Sandworm has been cited as the authors of the Industroyer malware which was used in the 2016 Ukraine attacks.


XENOTIME is a threat group that has targeted and compromised industrial systems, specifically safety instrumented systems that are designed to provide safety and protective functions. Xenotime has previously targeted oil & gas, as well as electric sectors within the Middle East, Europe, and North America. Xenotime has also been reported to target ICS vendors, manufacturers, and organizations in the middle east. This group is one of the few with reported destructive capabilities.

ICS networks are heterogeneous in nature, there are plenty of software/hardware platforms, applications, and tools associated with them. Due to this ATT&CK for ICS techniques does not apply to all ICS networks. Therefore ATT&CK for ICS has added an organizational unit of assets to assist ATT&CK for ICS customers to recognize which technique applies to their ICS network.

ATT&CK for ICS is still in its developing phase and is looking for more information to refine and extend their area of work. You can contact MITRE for information and query at You can also contribute to their website’s contribution page.


Worried About A Data Breach?

                            LIFARS Offers Free 30min Consultations

Contact LIFARS For Advisory Services Today!