Stored Data Manipulation

Information

• Name: Stored Data Manipulation

• ID: T1565.001

• Tactics: TA0040

• Technique: T1565

Introduction

Stored Data Manipulation (T1565.001) is a sub-technique within the MITRE ATT&CK framework categorized under Data Manipulation (T1565). It involves adversaries modifying, deleting, or corrupting stored data to influence business processes, disrupt operations, or compromise the integrity of information. Attackers leverage this technique to achieve various objectives, including sabotage, misinformation, and operational disruption, often leading to significant negative impacts on organizations.

Deep Dive Into Technique

Stored Data Manipulation encompasses various methods and mechanisms that adversaries may utilize to compromise stored information. Key technical details include:

• Direct File Modification:

  • Attackers may directly alter file contents, metadata, or permissions to corrupt or falsify data.

  • Common targets include databases, configuration files, logs, and document repositories.

• Database Manipulation:

  • SQL injection or unauthorized access can be leveraged to modify database records.

  • Attackers may execute UPDATE, DELETE, or INSERT queries to alter critical information.

• Backup and Archive Tampering:

  • Adversaries may target backup systems to compromise recovery capabilities.

  • Altering backups ensures that restoration processes become ineffective or unreliable during recovery.

• File System Corruption:

  • Attackers may intentionally corrupt file systems or storage devices, rendering stored data inaccessible or unusable.

  • Techniques such as overwriting critical sectors or file headers are common.

• Ransomware and Data Wipers:

  • Malicious software designed specifically to encrypt, corrupt, or delete stored data.

  • Attackers utilize ransomware to hold data hostage, demanding payment for restoration keys.

  • Data wipers permanently destroy data, often for sabotage or disruption purposes.

Real-world procedures often involve gaining initial access through phishing, exploitation of vulnerabilities, or insider threats. Once inside, attackers escalate privileges, identify critical stored data, and execute data manipulation activities to achieve their strategic objectives.

When this Technique is Usually Used

Stored Data Manipulation typically appears in various attack scenarios and stages, including:

• Sabotage and Disruption Operations:

  • Adversaries aiming to disrupt business continuity by corrupting critical databases, backups, or operational data.

• Ransomware Attacks:

  • Attackers encrypt stored data, making it inaccessible until ransom demands are met.

• Espionage and Data Integrity Attacks:

  • Nation-state actors or competitors altering sensitive data to mislead decision-making processes or damage organizational reputation.

• Insider Threat Scenarios:

  • Malicious insiders intentionally modifying, deleting, or corrupting data to harm the organization or cover illicit activities.

• Supply Chain Compromise:

  • Attackers compromising third-party software or services to manipulate stored data downstream, affecting multiple organizations simultaneously.

This technique can be employed at different stages of the attack lifecycle, commonly during execution, persistence, defense evasion, and impact phases.

How this Technique is Usually Detected

Detection of Stored Data Manipulation involves multiple methods, tools, and indicators of compromise (IoCs):

• File Integrity Monitoring (FIM):

  • Tools such as Tripwire, OSSEC, or built-in OS auditing capabilities detect unauthorized changes to files and directories.

• Database Auditing and Monitoring:

  • Database Activity Monitoring (DAM) solutions detect anomalies and unauthorized queries or modifications.

  • Regular auditing of database logs helps identify suspicious activities.

• Endpoint Detection and Response (EDR):

  • EDR tools detect ransomware behaviors, unauthorized file modifications, or suspicious processes accessing stored data.

• Backup System Monitoring:

  • Monitoring backup logs and integrity checks can detect unauthorized alterations or deletions of backup data.

• Log Analysis and SIEM Tools:

  • Security Information and Event Management (SIEM) systems correlate logs from various sources to identify anomalous patterns indicative of data manipulation.

Specific Indicators of Compromise (IoCs) include:

• Unexpected file hash changes or checksum mismatches.

• Sudden increases in database modification queries or deletions.

• Suspicious file encryption activities or file extensions (.locked, .encrypted).

• Unusual user account behaviors or privilege escalation attempts preceding data changes.

• Logs indicating unauthorized access or tampering with backup systems.

Why it is Important to Detect This Technique

Timely detection of Stored Data Manipulation is critical due to its potential severe impacts on organizations, including:

• Operational Disruption:

  • Corrupted or deleted data can halt critical business operations, leading to downtime, productivity loss, and financial damage.

• Data Integrity Compromise:

  • Manipulated data can cause incorrect business decisions, regulatory non-compliance, and loss of customer trust.

• Financial Loss:

  • Ransomware attacks and data restoration efforts can incur significant financial costs, including ransom payments, recovery, and remediation expenses.

• Reputational Damage:

  • Public disclosure of data manipulation incidents can severely damage organizational reputation, consumer confidence, and stakeholder trust.

• Regulatory and Compliance Issues:

  • Data manipulation may lead to violations of compliance standards (e.g., GDPR, HIPAA), resulting in legal penalties and fines.

Early detection allows organizations to minimize these impacts by enabling prompt incident response, containment, and recovery actions.

Examples

Real-world examples of Stored Data Manipulation include:

• NotPetya Attack (2017):

  • Attackers deployed malware disguised as ransomware, which irreversibly corrupted data on infected systems.

  • Impacted global organizations, causing significant operational disruption and financial losses estimated in billions of dollars.

• Sony Pictures Attack (2014):

  • Attackers deployed destructive malware ("Wiper") that deleted critical data, backups, and system files.

  • Resulted in significant data loss, operational downtime, and reputational damage.

• MongoDB Attacks (Multiple Incidents, 2017-2019):

  • Attackers accessed publicly exposed MongoDB databases, deleted data, and left ransom notes demanding cryptocurrency payments.

  • Thousands of databases affected, leading to widespread data loss and disruption.

• Ukrainian Power Grid Attack (2015):

  • Attackers compromised SCADA systems, modified stored configuration data, and disrupted power distribution.

  • Resulted in widespread power outages affecting hundreds of thousands of people.

• Insider Threat at Tesla (2018):

  • A malicious insider sabotaged Tesla’s manufacturing systems by altering software code and manipulating stored data.

  • Caused delays, operational disruptions, and required extensive investigation and remediation.

These examples illustrate the diverse scenarios, tools, and impacts associated with Stored Data Manipulation, underscoring the importance of robust detection and response capabilities.