{"description": "ICS techniques used by CyberAv3ngers, ATT&CK group G1027 (v1.0)", "name": "CyberAv3ngers (G1027)", "domain": "ics-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T0812", "comment": "During the [Unitronics Defacement Campaign](https://attack.mitre.org/campaigns/C0031), the [CyberAv3ngers](https://attack.mitre.org/groups/G1027) discovered and exploited default credentials found on many Unitronics [Programmable Logic Controller (PLC)](https://attack.mitre.org/assets/A0003) [Human-Machine Interface (HMI)](https://attack.mitre.org/assets/A0002). For many of these devices, the default password was set to \u20181111\u2019.(Citation: CISA AA23-335A IRGC-Affiliated December 2023)(Citation: CISA Unitronics November 2023)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T0814", "comment": "During the [Unitronics Defacement Campaign](https://attack.mitre.org/campaigns/C0031), the [CyberAv3ngers](https://attack.mitre.org/groups/G1027) defaced controllers\u2019 [Human-Machine Interface (HMI)](https://attack.mitre.org/assets/A0002), which prevented multiple entities from being able to operate their devices normally.(Citation: CISA AA23-335A IRGC-Affiliated December 2023)(Citation: CISA Unitronics November 2023)(Citation: Jamie Tarabay and Katrina Manson December 2023)(Citation: Frank Bajak and Marc Levy December 2023) Additionally, the [CyberAv3ngers](https://attack.mitre.org/groups/G1027) caused a communications failure in a remote pumping station.(Citation: WPXI Aliquippa Water November 2023)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T0883", "comment": "During the [Unitronics Defacement Campaign](https://attack.mitre.org/campaigns/C0031), the [CyberAv3ngers](https://attack.mitre.org/groups/G1027) exploited devices connected to the public internet, such as internet connected Unitronics [Programmable Logic Controller (PLC)](https://attack.mitre.org/assets/A0003) with [Human-Machine Interface (HMI)](https://attack.mitre.org/assets/A0002) and networking equipment such as cellular modems found in OT environments.(Citation: CISA AA23-335A IRGC-Affiliated December 2023)(Citation: Lisa Zahner December 2023)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T0826", "comment": "During the [Unitronics Defacement Campaign](https://attack.mitre.org/campaigns/C0031), the [CyberAv3ngers](https://attack.mitre.org/groups/G1027) caused multiple businesses to halt operations due to the unavailability of the [Programmable Logic Controller (PLC)](https://attack.mitre.org/assets/A0003) and [Human-Machine Interface (HMI)](https://attack.mitre.org/assets/A0002). These victims covered multiple sectors.(Citation: Jamie Tarabay and Katrina Manson December 2023)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T0828", "comment": "During the [Unitronics Defacement Campaign](https://attack.mitre.org/campaigns/C0031), the [CyberAv3ngers](https://attack.mitre.org/groups/G1027) caused multiple businesses to halt operations in their industrial environments, impacting their typical business operations. These victims covered multiple sectors.(Citation: Jamie Tarabay and Katrina Manson December 2023)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T0829", "comment": "During the [Unitronics Defacement Campaign](https://attack.mitre.org/campaigns/C0031), the [CyberAv3ngers](https://attack.mitre.org/groups/G1027) replaced the existing graphic on the [Programmable Logic Controller (PLC)](https://attack.mitre.org/assets/A0003) [Human-Machine Interface (HMI)](https://attack.mitre.org/assets/A0002) with their own, thereby preventing PLC owners and operators from viewing PLC information on the HMI.(Citation: CISA AA23-335A IRGC-Affiliated December 2023)(Citation: Jamie Tarabay and Katrina Manson December 2023) ", "score": 1, "color": "#ff6666", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by CyberAv3ngers", "color": "#66b1ff"}, {"label": "used by a campaign attributed to CyberAv3ngers", "color": "#ff6666"}, {"label": "used by CyberAv3ngers and used by a campaign attributed to CyberAv3ngers", "color": "#ff66f4"}]}