Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T0847: Replication Through Removable Media

Adversaries may move onto systems, such as those separated from the enterprise network, by copying malware to removable media which is inserted into the control systems environment. The adversary may rely on unknowing trusted third parties, such as suppliers or contractors with access privileges, to introduce the removable media. This technique enables initial access to target devices that never connect to untrusted networks, but are physically accessible.

Operators of the German nuclear power plant, Gundremmingen, discovered malware on a facility computer not connected to the internet. [1] [2] The malware included Conficker and W32.Ramnit, which were also found on eighteen removable disk drives in the facility. [3] [4] [5] [6] [7] [8] The plant has since checked for infection and cleaned up more than 1,000 computers. [9] An ESET researcher commented that internet disconnection does not guarantee system safety from infection or payload execution. [10]

ICST0847TechniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Replication through removable media matters because it can defeat the assumption that isolated ICS environments are protected simply because they are not internet-connected. ATT&CK describes adversaries copying malware to removable media and relying on physical access or trusted third parties, such as suppliers or contractors, to introduce it into control system environments. For executives, the decision point is whether removable media, maintenance workflows, and third-party access are governed and evidenced as part of operational resilience—not treated as an informal exception to network security.

Executive priority

Prioritize this where critical operations depend on workstations, HMIs, controllers, historians, jump hosts, gateways, or other ICS assets that may be serviced through USB or other removable media. The supplied ATT&CK example from the Gundremmingen nuclear power plant shows why air-gapping alone is not sufficient evidence of risk reduction: malware was found on a facility computer not connected to the internet and on removable disk drives. Leaders should ask for proof of approved-media controls, operating system hardening, hardware installation restrictions, and incident response procedures for scanning, containment, and cleanup across OT assets.

Technical view

ATT&CK provides no official detection text, platforms, or tactics for T0847, but it does provide a detection strategy relationship, DET0733, and mitigation relationships for operating system configuration, limiting hardware installation, and disabling/removing unnecessary features or programs. SOC and IR teams should validate whether removable media activity is visible on ICS workstations, HMIs, control servers, historians, jump hosts, data gateways, and other related assets. Because the technique targets both conventional systems and embedded ICS assets through relationships, coverage should be assessed asset-by-asset rather than assumed from enterprise endpoint tooling.

Likely telemetry

  • Removable media insertion, mount, and device identification events on supported ICS workstations, servers, HMIs, and jump hosts
  • File creation, copy, execution, and autorun-related activity originating from removable media paths where available
  • Endpoint protection or malware scan results for ICS hosts and removable disk drives
  • Operating system configuration and device-control policy events showing allowed or blocked hardware use
  • Asset inventory identifying systems with physical ports or removable-media workflows

Detection direction

  • Validate DET0733 coverage locally; ATT&CK does not supply the detection logic in the provided object fields.
  • Tune monitoring around removable media use on engineering/operator systems and other related ICS assets, with special attention to systems that are isolated from enterprise networks and may have weaker telemetry forwarding.
  • Correlate removable media events with user role, maintenance windows, supplier or contractor activity, and malware detections to reduce false positives from legitimate maintenance.
  • Do not treat absence of network exposure as absence of exposure; the official description explicitly notes initial access to devices that never connect to untrusted networks but are physically accessible.
  • Identify blind spots where embedded devices, disconnected hosts, or legacy systems cannot produce endpoint telemetry and require compensating process evidence.

Mitigation priorities

  • Start with hardware-use governance: apply M0934 by blocking users or groups from installing or using unapproved hardware, including USB devices, where operationally feasible.
  • Harden host behavior using M0928 operating system configuration controls on ICS systems that support them.
  • Apply M0942 by disabling or removing unnecessary features or programs that could enable removable-media abuse.
  • Require approved removable-media handling for suppliers, contractors, and maintenance workflows, with scanning and accountability evidence aligned to local operational constraints.
  • Ensure incident response plans include offline or isolated asset scanning, removable drive collection, cleanup validation, and operational sign-off before returning systems to normal use.
Analyst notes and limits

This technique is especially relevant to ICS environments because the relationship set spans workstations, HMIs, PLCs, RTUs, IEDs, historians, control servers, application servers, gateways, safety controllers, VPN servers, jump hosts, Field I/O, DCS controllers, and PACs. ATT&CK also relates the technique to Stuxnet and Conficker; the supplied description specifically cites Conficker and W32.Ramnit findings at Gundremmingen removable disk drives and facility computers. Use this as a control-validation scenario for OT security, third-party access governance, and evidence collection rather than as a claim of current exploitation in any specific environment.

The provided ATT&CK object has no official detection text, no tactic assignment, and no technique platform list. Telemetry and control recommendations therefore require local validation against the actual ICS architecture, operating systems, embedded-device constraints, physical access model, and maintenance practices.

Official MITRE ATT&CK definition

Replication Through Removable Media

Adversaries may move onto systems, such as those separated from the enterprise network, by copying malware to removable media which is inserted into the control systems environment. The adversary may rely on unknowing trusted third parties, such as suppliers or contractors with access privileges, to introduce the removable media. This technique enables initial access to target devices that never connect to untrusted networks, but are physically accessible.

Operators of the German nuclear power plant, Gundremmingen, discovered malware on a facility computer not connected to the internet. [1] [2] The malware included Conficker and W32.Ramnit, which were also found on eighteen removable disk drives in the facility. [3] [4] [5] [6] [7] [8] The plant has since checked for infection and cleaned up more than 1,000 computers. [9] An ESET researcher commented that internet disconnection does not guarantee system safety from infection or payload execution. [10]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Malware ICS

S0608: Conficker

Conficker is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread.[1] In 2016, a variant of Conficker made its way on computers and removable disk drives belonging to a nuclear power plant.[2]

Windows
Malware ICS

S0603: Stuxnet

Stuxnet was the first publicly reported malware to specifically target industrial control systems devices. Stuxnet is a large and complex malware that utilized multiple behaviors, including numerous zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.[1][2][3][4] Stuxnet was discovered in 2010, with some components being used as early as November 2008.[1]

Windows
Relationship explorer

All related ATT&CK context

targets · ICS Asset A0017: Distributed Control System (DCS) Controller ICS targets · ICS Asset A0013: Field I/O ICS detects · Detection Strategy DET0733: Detection of Replication Through Removable Media ICS targets · ICS Asset A0012: Jump Host ICS targets · ICS Asset A0002: Human-Machine Interface (HMI) ICS targets · ICS Asset A0004: Remote Terminal Unit (RTU) ICS targets · ICS Asset A0001: Workstation ICS mitigates · Mitigation M0928: Operating System Configuration ICS targets · ICS Asset A0006: Data Historian ICS uses · Malware S0608: Conficker ICS uses · Malware S0603: Stuxnet ICS mitigates · Mitigation M0934: Limit Hardware Installation ICS targets · ICS Asset A0003: Programmable Logic Controller (PLC) ICS targets · ICS Asset A0008: Application Server ICS targets · ICS Asset A0018: Programmable Automation Controller (PAC) ICS targets · ICS Asset A0009: Data Gateway ICS targets · ICS Asset A0011: Virtual Private Network (VPN) Server ICS targets · ICS Asset A0005: Intelligent Electronic Device (IED) ICS mitigates · Mitigation M0942: Disable or Remove Feature or Program ICS targets · ICS Asset A0010: Safety Controller ICS targets · ICS Asset A0007: Control Server ICS
Mitigations

Mitigation direction

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
cd98df302553af32...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle cd98df302553…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Kernkraftwerk Gundremmingen April 2016

    Kernkraftwerk Gundremmingen 2016, April 25 Detektion von Bro-Schadsoftware an mehreren Rechnern Retrieved. 2019/10/14

    Open source URL
  2. [2]
    Trend Micro April 2016

    Trend Micro 2016, April 27 Malware Discovered in German Nuclear Power Plant Retrieved. 2019/10/14

    Open source URL
  3. [3]
    Christoph Steitz, Eric Auchard April 2016

    Christoph Steitz, Eric Auchard 2016, April 26 German nuclear plant infected with computer viruses, operator says Retrieved. 2019/10/14

    Open source URL
  4. [4]
    Catalin Cimpanu April 2016

    Catalin Cimpanu 2016, April 26 Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary Retrieved. 2019/10/14

    Open source URL
  5. [5]
    Peter Dockrill April 2016

    Peter Dockrill 2016, April 28 Multiple Computer Viruses Have Been Discovered in This German Nuclear Plant Retrieved. 2019/10/14

    Open source URL
  6. [6]
    Lee Mathews April 2016

    Lee Mathews 2016, April 27 German nuclear plant found riddled with Conficker, other viruses. Retrieved November 17, 2024.

    Open source URL
  7. [7]
    Sean Gallagher April 2016

    Sean Gallagher 2016, April 27 German nuclear plants fuel rod system swarming with old malware Retrieved. 2019/10/14

    Open source URL
  8. [8]
    Dark Reading Staff April 2016

    Dark Reading Staff 2016, April 28 German Nuclear Power Plant Infected With Malware Retrieved. 2019/10/14

    Open source URL
  9. [9]
    BBC April 2016

    BBC 2016, April 28 German nuclear plant hit by computer viruses Retrieved. 2019/10/14

    Open source URL
  10. [10]
    ESET April 2016

    ESET 2016, April 28 Malware found at a German nuclear power plant Retrieved. 2019/10/14

    Open source URL
  11. [11]
    mitre-attack T0847
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use