Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T0811: Data from Information Repositories

Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of information repositories include reference databases in the process environment, as well as databases in the corporate network that might contain information about the ICS.[1]

Information collected from these systems may provide the adversary with a better understanding of the operational environment, vendors used, processes, or procedures of the ICS.

In a campaign between 2011 and 2013 against ONG organizations, Chinese state-sponsored actors searched document repositories for specific information such as, system manuals, remote terminal unit (RTU) sites, personnel lists, documents that included the string SCAD*, user credentials, and remote dial-up access information. [2]

ICST0811TechniqueObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This technique matters because ICS design and operations knowledge can be as sensitive as credentials. Specifications, schematics, control-system diagrams, manuals, RTU site details, personnel lists, and remote access information can help an adversary understand how operations work before attempting more disruptive actions. For executives and security leaders, the practical question is whether engineering and operations repositories are governed like critical infrastructure data, not merely like ordinary documents.

Executive priority

Prioritize this as an operational resilience and governance issue: sensitive ICS documentation often lives across corporate repositories, engineering workstations, historians, control servers, and shared databases. Leaders should ask who can access ICS diagrams, procedures, vendor details, and remote access records; whether that access is audited; and whether evidence exists for compliance or incident response reviews. Budget and control decisions should focus on reducing unnecessary access, protecting sensitive data at rest, and improving auditability of repositories that bridge corporate and process environments.

Technical view

ATT&CK provides no official detection text, platforms, or tactics for T0811, but the relationship context points to detection strategy DET0754 and target assets including Data Historian and Control Server. SOC and IR teams should validate visibility into repository access, database queries, file reads, downloads, exports, searches for ICS-specific terms, and abnormal access to engineering documentation. Detection should be tuned around legitimate engineering and business-analysis workflows, especially where historians or control servers are accessible from the corporate network. The Duqu software relationship indicates this behavior has relevance to malware-enabled collection, but local evidence is required before drawing conclusions in any environment.

Likely telemetry

  • Document repository access logs and search logs
  • Database authentication, query, export, and read activity
  • File share and directory access events for engineering and ICS documentation
  • Data historian access, query, and export logs where available
  • Control server access logs where repositories or configuration data are reachable

Detection direction

  • Inventory repositories that contain ICS specifications, schematics, diagrams, manuals, RTU site information, personnel lists, credentials, or remote access details.
  • Validate that access and search activity is logged for both corporate repositories and process-environment reference databases.
  • Look for unusual volume, timing, source, account, or search behavior involving ICS-specific terms, while accounting for normal engineering, maintenance, audit, and vendor-support activity.
  • Correlate repository access with identity context, privilege level, remote access use, and access to related ICS assets such as historians and control servers.
  • Treat missing logs from repositories, historians, or shared engineering databases as a material blind spot rather than assuming low risk.

Mitigation priorities

  • Start with audits of where sensitive ICS documentation and operational data are stored, who can access it, and whether permissions match business need.
  • Apply user account management and privileged account management to reduce unnecessary access to repositories containing ICS information.
  • Restrict file and directory permissions, especially for shared engineering folders and broadly accessible corporate repositories.
  • Encrypt sensitive information at rest where supported and appropriate for operational requirements.
  • Train users to recognize social engineering or access-manipulation attempts involving sensitive ICS information.
Analyst notes and limits

The supplied ATT&CK object is an ICS technique focused on collection from information repositories. The official description cites CISA reporting about adversaries searching repositories for manuals, RTU site information, personnel lists, SCAD* documents, credentials, and remote dial-up access information. Relationship context identifies mitigations for user training, account management, privileged account management, file and directory permissions, encryption, and audit. The technique also targets Data Historian and Control Server assets, which can be important because these systems may connect operational and corporate analysis needs.

ATT&CK does not provide official detection guidance, tactics, platforms, aliases, or labels for this technique in the supplied object. DET0754 is named as a related detection strategy, but no detailed detection logic is supplied here. Any assessment of exposure, exploitation, control effectiveness, or detection coverage requires local repository inventories, identity data, logging configuration, and ICS architecture review.

Official MITRE ATT&CK definition

Data from Information Repositories

Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of information repositories include reference databases in the process environment, as well as databases in the corporate network that might contain information about the ICS.[1]

Information collected from these systems may provide the adversary with a better understanding of the operational environment, vendors used, processes, or procedures of the ICS.

In a campaign between 2011 and 2013 against ONG organizations, Chinese state-sponsored actors searched document repositories for specific information such as, system manuals, remote terminal unit (RTU) sites, personnel lists, documents that included the string SCAD*, user credentials, and remote dial-up access information. [2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Malware ICS

S0038: Duqu

Duqu is a malware platform that uses a modular approach to extend functionality after deployment within a target network. [1]

Windows
Relationship explorer

All related ATT&CK context

detects · Detection Strategy DET0754: Detection of Data from Information Repositories ICS targets · ICS Asset A0006: Data Historian ICS mitigates · Mitigation M0947: Audit ICS mitigates · Mitigation M0941: Encrypt Sensitive Information ICS uses · Malware S0038: Duqu ICS targets · ICS Asset A0007: Control Server ICS mitigates · Mitigation M0922: Restrict File and Directory Permissions ICS mitigates · Mitigation M0918: User Account Management ICS mitigates · Mitigation M0926: Privileged Account Management ICS mitigates · Mitigation M0917: User Training ICS
Mitigations

Mitigation direction

Mitigation ICS

M0947: Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.

Mitigation ICS

M0917: User Training

Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
66336b9c83d083ad...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle 66336b9c83d0…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Cybersecurity & Infrastructure Security Agency March 2018

    Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11

    Open source URL
  2. [2]
    CISA AA21-201A Pipeline Intrusion July 2021

    Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08

    Open source URL
  3. [3]
    mitre-attack T0811
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use