Description
Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.
Adversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. Disk Structure Wipe may be performed in isolation, or along with Disk Content Wipe if all sectors of a disk are wiped.
On a network devices, adversaries may reformat the file system using Network Device CLI commands such as format.(Citation: format_cmd_cisco)
To maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)
Platforms
Mitigations (1)
Data BackupM1053
Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.
Threat Groups (6)
| ID | Group | Context |
|---|---|---|
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has deployed custom wipers that overwrite system files and the host devices master boot record... |
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) has used a custom MBR wiper named BOOTWRECK to render systems inoperable.(Citation: FireEye APT38 Oct 2... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has used the [BlackEnergy](https://attack.mitre.org/software/S0089) KillDisk component to corru... |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) malware SHARPKNOT overwrites and deletes the Master Boot Record (MBR) on the victim's machine a... |
| G1003 | Ember Bear | [Ember Bear](https://attack.mitre.org/groups/G1003) conducted destructive operations against victims, including disk structure wiping, via the [Whispe... |
| G0067 | APT37 | [APT37](https://attack.mitre.org/groups/G0067) has access to destructive malware that is capable of overwriting a machine's Master Boot Record (MBR).(... |
Associated Software (13)
| ID | Name | Type | Context |
|---|---|---|---|
| S0140 | Shamoon | Malware | [Shamoon](https://attack.mitre.org/software/S0140) has been seen overwriting features of disk structure such as the MBR.(Citation: Symantec Shamoon 20... |
| S9002 | Diskpart | Tool | [Diskpart](https://attack.mitre.org/software/S9002) can be used to delete a partition or a volume.(Citation: Microsoft_diskpart_Feb2023) [Diskpart](ht... |
| S0697 | HermeticWiper | Malware | [HermeticWiper](https://attack.mitre.org/software/S0697) has the ability to corrupt disk partitions, damage the Master Boot Record (MBR), and overwrit... |
| S0364 | RawDisk | Tool | [RawDisk](https://attack.mitre.org/software/S0364) was used in [Shamoon](https://attack.mitre.org/software/S0140) to help overwrite components of disk... |
| S1136 | BFG Agonizer | Malware | [BFG Agonizer](https://attack.mitre.org/software/S1136) retrieves a device handle to <code>\\\\.\\PhysicalDrive0</code> to wipe the boot sector of a g... |
| S0689 | WhisperGate | Malware | [WhisperGate](https://attack.mitre.org/software/S0689) can overwrite the Master Book Record (MBR) on victim systems with a malicious 16-bit bootloader... |
| S1178 | ShrinkLocker | Malware | [ShrinkLocker](https://attack.mitre.org/software/S1178) has used [Diskpart](https://attack.mitre.org/software/S9002) to format newly-created partition... |
| S0607 | KillDisk | Malware | [KillDisk](https://attack.mitre.org/software/S0607) overwrites the first sector of the Master Boot Record with “0x00”.(Citation: Trend Micro KillDisk ... |
| S0380 | StoneDrill | Malware | [StoneDrill](https://attack.mitre.org/software/S0380) can wipe the master boot record of an infected computer.(Citation: Symantec Elfin Mar 2019) |
| S1135 | MultiLayer Wiper | Malware | [MultiLayer Wiper](https://attack.mitre.org/software/S1135) opens a handle to <code>\\\\\\\\.\\\\PhysicalDrive0</code> and wipes the first 512 bytes o... |
| S1134 | DEADWOOD | Malware | [DEADWOOD](https://attack.mitre.org/software/S1134) opens and writes zeroes to the first 512 bytes of each drive, deleting the MBR. [DEADWOOD](https:/... |
| S1151 | ZeroCleare | Malware | [ZeroCleare](https://attack.mitre.org/software/S1151) can corrupt the file system and wipe the system drive on targeted hosts.(Citation: Mandiant ROAD... |
| S0693 | CaddyWiper | Malware | [CaddyWiper](https://attack.mitre.org/software/S0693) has the ability to destroy information about a physical drive's partitions including the MBR, GP... |
References
- Cisco. (2022, August 16). format - Cisco IOS Configuration Fundamentals Command Reference. Retrieved July 13, 2022.
- Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.
- Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
- FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved November 17, 2024.
- Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
- Russinovich, M. & Garnier, T. (2017, May 22). Sysmon v6.20. Retrieved December 13, 2017.
- Symantec. (2012, August 16). The Shamoon Attacks. Retrieved March 14, 2019.
Frequently Asked Questions
What is T1561.002 (Disk Structure Wipe)?
T1561.002 is a MITRE ATT&CK technique named 'Disk Structure Wipe'. It belongs to the Impact tactic(s). Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to s...
How can T1561.002 be detected?
Detection of T1561.002 (Disk Structure Wipe) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1561.002?
There are 1 documented mitigations for T1561.002. Key mitigations include: Data Backup.
Which threat groups use T1561.002?
Known threat groups using T1561.002 include: VOID MANTICORE, APT38, Sandworm Team, Lazarus Group, Ember Bear, APT37.