ATAGS Tactic: Impact
| ID | Name | Description | |
| ATAGS-T1210 | Account Access Removal | Threat actors may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials, revoked permissions for SaaS platforms such as Sharepoint) to remove access to accounts. Threat actors may also subsequently log off and/or perform a System Shutdown/Reboot to set malicious changes into place. | |
| ATAGS-T1211 | Data Destruction | Threat actors may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives. Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from Disk Content Wipe and Disk Structure Wipe because individual files are destroyed rather than sections of a storage disk or the disk's logical structure. | |
| .001 | Lifecycle-Triggered Deletion | Threat Actors may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within. | |
| ATAGS-T1212 | Data Encrypted for Impact | Threat actors may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted. | |
| ATAGS-T1213 | Data Manipulation | Threat actors may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, Threat actors may attempt to affect a business process, organizational understanding, or decision making. | |
| .001 | Runtime Data Manipulation | Threat Actors may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data. By manipulating runtime data, Threat Actors may attempt to affect a business process, organizational understanding, and decision making. | |
| .002 | Stored Data Manipulation | Threat Actors may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating stored data, Threat Actors may attempt to affect a business process, organizational understanding, and decision making. | |
| .003 | Transmitted Data Manipulation | Threat Actors may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data. By manipulating transmitted data, Threat Actors may attempt to affect a business process, organizational understanding, and decision making. | |
| ATAGS-T1214 | Defacement | Threat actors may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages. | |
| .001 | External Defacement | An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. External Defacement may ultimately cause users to distrust the systems and to question/discredit the system’s integrity. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda. External Defacement may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as Drive-by Compromise. | |
| .002 | Internal Defacement | An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites or server login messages, or directly to user systems with the replacement of the desktop wallpaper. Disturbing or offensive images may be used as a part of Internal Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished. | |
| ATAGS-T1215 | Degradation of infrastructure | Measures designed to permanently impair (either partially or totally) the use of a system. Threat actors may target various subsystems or the hosted payload in such a way to rapidly increase it's degradation. This could potentially shorten the lifespan of the victim spacecraft. | |
| ATAGS-T1216 | Denial of Service | Measures designed to temporarily eliminate the use, access, or operation of a system for a period of time, usually without physical damage to the affected system. Threat actors may seek to deny ground providers or customers access to the victim infrastructure. This would be done exhausting system resource, degrading subsystems, or blocking communications entirely. | |
| ATAGS-T1217 | Endpoint Denial of Service | Threat actors may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Threat actors have been observed conducting DoS attacks for political purposes and to support other malicious activities, including distraction, hacktivism, and extortion. | |
| .001 | Application Exhaustion Flood | Threat Actors may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications. For example, specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself. | |
| .002 | Application or System Exploitation | Threat Actors may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent denial of service (DoS) condition. | |
| .003 | OS Exhaustion Flood | Threat Actors may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). A system's OS is responsible for managing the finite resources as well as preventing the entire system from being overwhelmed by excessive demands on its capacity. These attacks do not need to exhaust the actual resources on a system; the attacks may simply exhaust the limits and available resources that an OS self-imposes. | |
| .004 | Service Exhaustion Flood | Threat Actors may target the different network services provided by systems to conduct a denial of service (DoS). Threat Actors often target the availability of DNS and web services, however others have been targeted as well. Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service. | |
| ATAGS-T1218 | Financial Theft | Threat actors may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware, business email compromise (BEC) and fraud, "pig butchering," bank hacking, and exploiting cryptocurrency networks. | |
| ATAGS-T1219 | Inhibit System Recovery | Threat actors may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. This may deny access to available backups and recovery options. | |
| ATAGS-T1073 | KMS Key Disablement / Replacement | Threat actors may compromise the Key Management Service (KMS) controlling the encryption of the Ground Station's data output. By disabling, deleting, or maliciously rotating the Customer Master Keys (CMKs) used to encrypt the digitized RF streams (VITA 49) stored in cloud buckets, the adversary renders the downlinked mission data permanently inaccessible to the operator, even if the satellite itself remains healthy. | |
| ATAGS-T1220 | Loss of Control | Threat actors may seek to achieve a sustained loss of control or a runaway condition in which operators cannot issue any commands even if the malicious interference has subsided, this has direct consequences on the control of the Spacecraft. | |
| ATAGS-T1221 | Loss of Intellectual property/proprietary data | Threat actors may attempt to steal the data that is being gathered, processed, and sent from the victim spacecraft. Many spacecraft have a particular purpose associated with them and the data they gather is deemed mission critical. By attempting to steal this data, the mission, or purpose, of the spacecraft could be lost entirely. | |
| ATAGS-T1222 | Loss of Productivity and Revenue | Threat actors may cause loss of productivity and revenue through disruption and even damage to the availability and integrity of control system operations, devices, and related processes. This technique may manifest as a direct effect of an ICS-targeting attack or tangentially, due to an IT-targeting attack against non-segregated environments. | |
| ATAGS-T1223 | Loss of Protection | Threat actors may compromise protective system functions designed to prevent the effects of faults and abnormal conditions. This can result in equipment damage, prolonged process disruptions and hazards to personnel. | |
| ATAGS-T1224 | Loss of View | Threat actors may cause a sustained or permanent loss of view where the ICS equipment will require local, hands-on operator intervention; for instance, a restart or manual operation. By causing a sustained reporting or visibility loss, the adversary can effectively hide the present state of operations. This loss of view can occur without affecting the physical processes themselves. | |
| ATAGS-T1225 | Physical Destruction | Measures designed to permanently eliminate the use of a system, potentially through some physical damage to the system. Threat actors may destroy data, commands, subsystems, or attempt to destroy the victim spacecraft itself. This behavior is different from Degradation, as the individual parts are destroyed rather than put in a position in which they would slowly degrade over time. | |
| ATAGS-T1226 | Resource Hijacking | Threat actors may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. | |
| .001 | Bandwidth Hijacking | Threat Actors may leverage the network bandwidth resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. | |
| .002 | Cloud Service Hijacking | Threat Actors may leverage compromised software-as-a-service (SaaS) applications to complete resource-intensive tasks, which may impact hosted service availability. | |
| .003 | Compute Hijacking | Threat Actors may leverage the compute resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. | |
| ATAGS-T1227 | Unauthorized Command Message | Threat actors may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an Impact. | |