Description
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from Disk Content Wipe and Disk Structure Wipe because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.
Adversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)
To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).
In cloud environments, adversaries may leverage access to delete cloud storage objects, machine images, database instances, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ - Cisco Insider) Similarly, they may delete virtual machines from on-prem virtualized environments.
Platforms
Sub-Techniques (1)
Mitigations (3)
Multi-factor AuthenticationM1032
Implement multi-factor authentication (MFA) delete for cloud storage resources, such as AWS S3 buckets, to prevent unauthorized deletion of critical data and infrastructure. MFA delete requires additional authentication steps, making it significantly more difficult for adversaries to destroy data without proper credentials. This additional security layer helps protect against the impact of data de
Data BackupM1053
Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.
User Account ManagementM1018
In cloud environments, limit permissions to modify cloud bucket lifecycle policies (e.g., PutLifecycleConfiguration in AWS) to only those accounts that require it. In AWS environments, consider using Service Control policies to limit the use of the PutBucketLifecycle API call.
Threat Groups (6)
| ID | Group | Context |
|---|---|---|
| G1004 | LAPSUS$ | [LAPSUS$](https://attack.mitre.org/groups/G1004) has deleted the target's systems and resources both on-premises and in the cloud.(Citation: MSTIC DEV... |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has used a custom secure delete function to overwrite file contents with data from heap memory.... |
| G1053 | Storm-0501 | [Storm-0501](https://attack.mitre.org/groups/G1053) has destroyed data and backup files.(Citation: Microsoft Storm-0501 Embargo Ransomware August 2025... |
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) has used a custom secure delete function to make deleted files unrecoverable.(Citation: FireEye APT38 O... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has used [CaddyWiper](https://attack.mitre.org/software/S0693), [SDelete](https://attack.mitre.... |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has conducted data wiping attacks on compromised systems.(Citation: Check Point VOID MANTICORE... |
Associated Software (28)
| ID | Name | Type | Context |
|---|---|---|---|
| S0659 | Diavol | Malware | [Diavol](https://attack.mitre.org/software/S0659) can delete specified files from a targeted system.(Citation: Fortinet Diavol July 2021) |
| S0689 | WhisperGate | Malware | [WhisperGate](https://attack.mitre.org/software/S0689) can corrupt files by overwriting the first 1 MB with `0xcc` and appending random extensions.(Ci... |
| S0604 | Industroyer | Malware | [Industroyer](https://attack.mitre.org/software/S0604)’s data wiper module clears registry keys and overwrites both ICS configuration and Windows file... |
| S0341 | Xbash | Malware | [Xbash](https://attack.mitre.org/software/S0341) has destroyed Linux-based databases as part of its ransomware capabilities.(Citation: Unit42 Xbash Se... |
| S1125 | AcidRain | Malware | [AcidRain](https://attack.mitre.org/software/S1125) performs an in-depth wipe of the target filesystem and various attached storage devices through ei... |
| S9008 | Shai-Hulud | Malware | [Shai-Hulud](https://attack.mitre.org/software/S9008) has destroyed the victim’s home directory by overwriting and deleting every writable file within... |
| S0496 | REvil | Malware | [REvil](https://attack.mitre.org/software/S0496) has the capability to destroy files and folders.(Citation: Kaspersky Sodin July 2019)(Citation: Secur... |
| S0265 | Kazuar | Malware | [Kazuar](https://attack.mitre.org/software/S0265) can overwrite files with random data before deleting them.(Citation: Unit 42 Kazuar May 2017) |
| S9038 | DynoWiper | Malware | [DynoWiper](https://attack.mitre.org/software/S9038) has overwritten files with 16-byte sequences of random data generated by the Mersenne Twister alg... |
| S0697 | HermeticWiper | Malware | [HermeticWiper](https://attack.mitre.org/software/S0697) can recursively wipe folders and files in `Windows`, `Program Files`, `Program Files(x86)`, `... |
| S9030 | SameCoin | Malware | [SameCoin](https://attack.mitre.org/software/S9030) can overwrite designated files on targeted systems with random bytes.(Citation: Check Point Wirte ... |
| S1134 | DEADWOOD | Malware | [DEADWOOD](https://attack.mitre.org/software/S1134) overwrites files on victim systems with random data to effectively destroy them.(Citation: Sentine... |
| S0140 | Shamoon | Malware | [Shamoon](https://attack.mitre.org/software/S0140) attempts to overwrite operating system files and disk structures with image files.(Citation: Symant... |
| S0139 | PowerDuke | Malware | [PowerDuke](https://attack.mitre.org/software/S0139) has a command to write random data across a file and delete it.(Citation: Volexity PowerDuke Nove... |
| S0365 | Olympic Destroyer | Malware | [Olympic Destroyer](https://attack.mitre.org/software/S0365) overwrites files locally and on remote shares.(Citation: Talos Olympic Destroyer 2018)(Ci... |
| S1135 | MultiLayer Wiper | Malware | [MultiLayer Wiper](https://attack.mitre.org/software/S1135) deletes files on network drives, but corrupts and overwrites with random data files stored... |
| S0693 | CaddyWiper | Malware | [CaddyWiper](https://attack.mitre.org/software/S0693) can work alphabetically through drives on a compromised system to take ownership of and overwrit... |
| S9039 | LazyWiper | Malware | [LazyWiper](https://attack.mitre.org/software/S9039) has overwritten files with pseudorandom 32‑byte sequences written at 16‑byte intervals making the... |
| S0195 | SDelete | Tool | [SDelete](https://attack.mitre.org/software/S0195) deletes data in a way that makes it unrecoverable.(Citation: Microsoft SDelete July 2016) |
| S0089 | BlackEnergy | Malware | [BlackEnergy](https://attack.mitre.org/software/S0089) 2 contains a "Destroy" plug-in that destroys data stored on victim hard drives by overwriting f... |
References
- DOJ. (2020, August 26). San Jose Man Pleads Guilty To Damaging Cisco’s Network. Retrieved December 15, 2020.
- Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.
- Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
- FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved November 17, 2024.
- Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
- Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
- Mimoso, M.. (2014, June 18). Hacker Puts Hosting Service Code Spaces Out of Business. Retrieved December 15, 2020.
- Symantec. (2012, August 16). The Shamoon Attacks. Retrieved March 14, 2019.
Frequently Asked Questions
What is T1485 (Data Destruction)?
T1485 is a MITRE ATT&CK technique named 'Data Destruction'. It belongs to the Impact tactic(s). Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render...
How can T1485 be detected?
Detection of T1485 (Data Destruction) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1485?
There are 3 documented mitigations for T1485. Key mitigations include: Multi-factor Authentication, Data Backup, User Account Management.
Which threat groups use T1485?
Known threat groups using T1485 include: LAPSUS$, Lazarus Group, Storm-0501, APT38, Sandworm Team, VOID MANTICORE.