T0827: Loss of Control
Adversaries may seek to achieve a sustained loss of control or a runaway condition in which operators cannot issue any commands even if the malicious interference has subsided. [1] [2] [3]
The German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill in its 2014 IT Security Report.[4] These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact resulted in damage and unsafe conditions from the uncontrolled shutdown of a blast furnace.
Analyst context for executives and security teams
Loss of Control is an ICS impact behavior where operators may be unable to command industrial processes, potentially leaving equipment in a sustained uncontrolled or runaway state. Its business significance is not “malware on a device” but the loss of the organization’s ability to safely operate, stop, or recover industrial processes. The ATT&CK description and cited steel mill example connect this behavior to damaged equipment and unsafe conditions, making it a board-level operational resilience and safety concern.
Executive priority
Prioritize this as a cyber-physical resilience scenario: can the organization maintain safe operations, communicate, and recover if normal control paths fail? Leaders should ask whether critical sites have tested alternative communications, redundancy for critical ICS services/devices, hardened and separated backups, and exercised incident response plans for loss of control, view, or availability. This technique is especially relevant for continuity planning, safety assurance, audit evidence, and investment decisions around ICS recovery capabilities.
Technical view
ATT&CK provides no official detection text, platforms, or tactics for T0827, so SOC and IR teams should validate coverage through the related detection strategy DET0778 and local engineering knowledge of control processes. Detection engineering should focus on evidence that commands are not being accepted or executed, communications needed for control are failing or untrusted, control components/services are breaking down, and operators are forced into abnormal recovery or shutdown procedures. Relationship context shows use by ICS-relevant campaigns and software, including Ukraine Electric Power Attack, 2025 Poland Wiper Attacks, LockerGoga, and Industroyer; use this context for threat modeling, not as proof of current exposure.
Likely telemetry
- ICS operator/HMI command attempts and command execution or failure records where available
- Control system event logs showing loss of communications, service failures, device faults, or component breakdowns
- Historian, alarm, and process data indicating abnormal state changes, runaway conditions, or uncontrolled shutdown behavior
- Engineering workstation, server, and critical ICS host logs relevant to availability or control-path failures
- Network monitoring for ICS communications needed to issue commands or maintain control
Detection direction
- Map DET0778, if available in the local ATT&CK content set, to site-specific control processes and safety-critical assets rather than relying on generic IT detections.
- Validate that monitoring distinguishes loss of control from routine maintenance, planned shutdowns, communications outages, and normal failover events to reduce false positives.
- Correlate operator command failures with process alarms, device/service health, and network communications loss; single-source alerts may be insufficient for this impact behavior.
- Review blind spots in segmented or isolated ICS environments where SOC tools may not collect HMI, historian, controller, or engineering workstation evidence.
- Use relationship context from campaigns and software as scenarios for tabletop exercises and detection validation, while avoiding assumptions about platform coverage because the technique itself lists no platforms.
Mitigation priorities
- Establish and test out-of-band communications channels for communication failures and data integrity attacks, as described by M0810.
- Provide redundancy for critical ICS devices and services, including backup devices or hot-standbys where appropriate, as described by M0811.
- Maintain hardened, separated backups and gold-copy images/configurations for key systems, and exercise incident response plans for impacts to control, view, or availability, as described by M0953.
- Prioritize recovery playbooks around safe process control and operator decision-making, not only IT system restoration.
- Use exercises to prove that alternate communications, redundancy, and backups work under realistic loss-of-control conditions.
Analyst notes and limits
The strongest decision value is resilience validation: whether the organization can detect, communicate, fail over, and safely recover when normal ICS control is unavailable. The BSI steel mill reference illustrates why this is material: control system component and installation breakdowns can create major operational and safety consequences. The related mitigations give a practical control sequence: alternate communications, redundancy, and recoverable backups/configurations.
ATT&CK supplies no official detection text, tactics, platforms, or aliases for this technique. Telemetry and detection guidance therefore require local ICS architecture, process safety requirements, vendor logging capabilities, and incident response procedures. Relationship context indicates known campaigns/software using the technique, but it does not prove active exploitation or exposure in any specific environment.
Loss of Control
Adversaries may seek to achieve a sustained loss of control or a runaway condition in which operators cannot issue any commands even if the malicious interference has subsided. [1] [2] [3]
The German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill in its 2014 IT Security Report.[4] These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact resulted in damage and unsafe conditions from the uncontrolled shutdown of a blast furnace.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
S0604: Industroyer
Industroyer is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.[1] Industroyer was used in the attacks on the Ukrainian power grid in December 2016.[2] This is the first publicly known malware specifically designed to target and impact operations in the electric grid.[3]
S0372: LockerGoga
LockerGoga is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.[1][2]
C0063: 2025 Poland Wiper Attacks
2025 Poland Wiper Attacks is a Russian state-sponsored campaign that conducted destructive cyberattacks against Polish energy infrastructure in December 2025. Targets included more than 30 wind and photovoltaic farms, a combined heat and power (CHP) plant, and a manufacturing sector company. The attacks on the distributed energy resources (DER) disrupted communications between affected facilities and the distribution system operator, but did not impact electricity generation or heat supply. Across the campaign, threat actors deployed two previously undocumented wiper tools, DynoWiper, a Windows-based wiper and LazyWiper, a PowerShell wiper, distributed via malicious Group Policy Objects. At the CHP plant, threat actors had maintained access since at least March 2025, using that foothold to obtain credentials and move laterally before attempting wiper deployment. Some reporting has assessed the activity to be consistent with Russian Federal Security Service (FSB) threat activity group Dragonfly, also tracked as STATIC TUNDRA, while other reporting attributes the destructive wiper activities to the Russian General Staff Main Intelligence Directorate (GRU) threat activity group ELECTRUM, also tracked as Sandworm Team.[1][2][3][4]
C0028: 2015 Ukraine Electric Power Attack
2015 Ukraine Electric Power Attack was a Sandworm Team campaign during which they used BlackEnergy (specifically BlackEnergy3) and KillDisk to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 7eead65aa50e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Corero
Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04
Open source URL -
[2]
Michael J. Assante and Robert M. Lee
Michael J. Assante and Robert M. Lee SANS Industrial Control System (ICS) Security; The Industrial Control System Cyber Kill Chain Retrieved 2024/11/25
Open source URL -
[3]
Tyson Macaulay
Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04
Open source URL -
[4]
BSI State of IT Security 2014
Bundesamt fr Sicherheit in der Informationstechnik (BSI) (German Federal Office for Information Security) 2014 Die Lage der IT-Sicherheit in Deutschland 2014 (The State of IT Security in Germany) Retrieved. 2019/10/30
Open source URL -
[5]
mitre-attack T0827Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.