S1157: Fuxnet
Analyst context for executives and security teams
Fuxnet matters because ATT&CK describes it as malware aimed at industrial network infrastructure that manages control-system sensors for utility operations. For leaders, the key issue is not just malware presence; it is whether remote access, exposed control assets, I/O servers, and control servers could be used to disrupt operator visibility or device availability in an ICS environment.
Executive priority
Treat this as a cyber-physical resilience scenario. The supplied ATT&CK relationships connect Fuxnet to external remote access, internet-accessible devices, brute force I/O, data destruction, denial of service, and loss of view. Executives should ask whether the organization can prove which control-system assets are internet reachable, who can remotely administer them, what monitoring exists for I/O manipulation and loss of view, and how operations would continue if sensor visibility or server availability is degraded.
Technical view
For SOC, OT, and IR teams, validation should focus on the listed platforms: Input/Output Server and Control Server. ATT&CK provides no official detection text, so teams should build coverage from the related behaviors: access through external remote services or internet-accessible devices; repeated or successive I/O point changes; destructive file or data activity; denial-of-service conditions; and sustained loss of operator view. Correlation with maintenance windows and known vendor/operator activity is essential to avoid false positives.
Likely telemetry
- External remote service authentication and session logs, including VPN or remote administration gateways where present
- Asset inventory and exposure management data for internet-accessible OT or control-system devices
- Firewall, network flow, and remote access logs between external networks, DMZs, I/O servers, and control servers
- ICS protocol or control network monitoring showing repeated I/O point value changes
- Control server and I/O server system logs, process activity, file creation/deletion, and configuration changes
Detection direction
- Confirm whether monitoring exists on Input/Output Server and Control Server platforms, not only enterprise IT endpoints.
- Baseline normal I/O point changes and alert on repetitive or unusual changes that do not align with approved operations or maintenance.
- Correlate remote access sessions or internet-exposed device access with subsequent I/O manipulation, service disruption, data deletion, or visibility loss.
- Treat loss of view as a high-priority operational signal when it is sustained, unexplained, or paired with server/network anomalies.
- Tune detections against expected maintenance, polling issues, device faults, vendor support sessions, and planned failover activity to reduce false positives.
Mitigation priorities
- Inventory and reduce internet exposure for OT and control-system devices, especially systems that can reach I/O servers or control servers.
- Harden and tightly govern external remote services used for control-system administration, including access approval, strong authentication, logging, and session review.
- Segment control networks so remote access paths do not provide broad or direct reachability to critical control assets.
- Maintain recoverable backups and configuration records for control servers, I/O servers, and related operational data to support recovery from destructive activity.
- Define operational procedures for sustained loss of view, including when local hands-on intervention or manual operation is required.
Analyst notes and limits
The official object identifies Fuxnet as malware designed to impact industrial network infrastructure managing control-system sensors for utility operations in Moscow and links it to the Blackjack hacking group, assessed as linked to Ukrainian intelligence services. This take emphasizes defensive decision value from the supplied ATT&CK relationships rather than expanding attribution or claiming current exposure.
ATT&CK does not provide tactics or official detection content for this object, and the relationship descriptions are partially truncated in the supplied data. Coverage decisions require local asset inventory, OT architecture, remote access design, and operational baselines.
Fuxnet
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0883 | Internet Accessible Device | Fuxnet execution relied upon accessing Internet-accessible devices for initial access and deployment.CitationClaroty Fuxnet 2024 |
| ICS | T0822 | External Remote Services | Fuxnet initial execution relied on accessing external remote services for victim environments.CitationClaroty Fuxnet 2024 |
| ICS | T0806 | Brute Force I/O | Fuxnet repeatedly wrote arbitrary data over the Meter-Bus channel from impacted devices to connected sensors to render sensor data acquisition useless.CitationClaroty Fuxnet 2024 |
| ICS | T0829 | Loss of View | Fuxnet impaired sensor communication to impacted devices resulting in a loss of view condition for overall system monitoring.CitationClaroty Fuxnet 2024 |
| ICS | T0814 | Denial of Service | Fuxnet shut down remote access services such as SSH, HTTP, telnet, and SNMP to a device along with deleting the routing table for routing devices to inhibit system accessibility and communication.CitationClaroty Fuxnet 2024 |
| ICS | T0809 | Data Destruction | Fuxnet physically destroyed NAND memory chips on impacted devices through repeated bit-flip operations.CitationClaroty Fuxnet 2024 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 543728d16387… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Claroty Fuxnet 2024
Team82. (2024, April 12). Unpacking the Blackjack Group's Fuxnet Malware. Retrieved September 11, 2024.
Open source URL -
[2]
mitre-attack S1157Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.