T0860: Wireless Compromise
Adversaries may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network. Access to a wireless network may be gained through the compromise of a wireless device. [1] [2] Adversaries may also utilize radios and other wireless communication devices on the same frequency as the wireless network. Wireless compromise can be done as an initial access vector from a remote distance.
A Polish student used a modified TV remote controller to gain access to and control over the Lodz city tram system in Poland. [3] [4] The remote controller device allowed the student to interface with the trams network to modify track settings and override operator control. The adversary may have accomplished this by aligning the controller to the frequency and amplitude of IR control protocol signals. [5] The controller then enabled initial access to the network, allowing the capture and replay of tram signals. [3]
Analyst context for executives and security teams
Wireless Compromise matters because some ICS environments can be reached without touching a corporate network first. If wireless, radio, infrared, or similar communications can be monitored, spoofed, replayed, or used to reach control-system components, an adversary may gain initial access from outside normal physical or network boundaries. For executives, the practical issue is not just Wi-Fi security; it is whether operational technology communications can be trusted when signals may extend beyond the facility or be reproduced by unauthorized devices.
Executive priority
Treat this as a cyber-physical resilience concern. Leaders should ask whether critical wireless or radio-linked control paths are inventoried, authenticated, encrypted, and tested for signal leakage beyond controlled areas. Priority should go to systems where wireless access could affect operator workstations, field I/O, or safety- and service-impacting operations. This technique also creates audit and incident-response questions: can the organization prove which wireless paths exist, who or what is allowed to transmit, and whether suspicious wireless activity would be noticed quickly?
Technical view
MITRE provides no official detection text for T0860, but the object is associated with a detection strategy, DET0726, and mitigations focused on authenticity, signal propagation reduction, encryption, and device/process authentication. SOC, OT security, and IR teams should validate visibility across wireless communications used near ICS assets, especially where workstations or embedded field I/O communicate through wireless, radio, or similar channels. Detection engineering should focus on unauthorized connections, unexpected devices, message spoofing or replay indicators, integrity/authentication failures, and activity that does not align with approved operational procedures.
Likely telemetry
- Wireless/RF site survey results and signal propagation measurements around operational areas
- Wireless access, association, authentication, and connection logs where such infrastructure exists
- Logs or alerts from systems enforcing device authentication, message authentication, digital signatures, or integrity checks
- OT network traffic records showing communications between workstations, controllers, data aggregators, and field I/O
- Operator workstation logs related to configuration, diagnostic, maintenance, or control-system application activity
Detection direction
- Start by confirming the wireless communication inventory; detection cannot be reliable if radio, infrared, or other wireless control paths are undocumented.
- Validate whether DET0726 or an equivalent internal detection strategy exists and is mapped to real telemetry, not just policy language.
- Tune for unauthorized transmitters, unexpected wireless devices, anomalous connection attempts, and control messages that fail authenticity or integrity checks.
- Look for replay-like or spoofing-like patterns where similar commands or signals occur outside expected operating context, while accounting for normal maintenance and diagnostic activity.
- Correlate wireless observations with OT network activity and operator workstation actions to reduce false positives and identify whether wireless activity produced operational effects.
Mitigation priorities
- Inventory wireless and radio-frequency communication paths used in or near ICS operations, including those connected to workstations and field I/O.
- Reduce unnecessary wireless signal propagation beyond organizational boundaries through measurement, design review, and appropriate containment controls.
- Require communication authenticity so receivers can verify the sender and message integrity, using mechanisms such as message authentication codes or digital signatures where appropriate.
- Encrypt network traffic to reduce eavesdropping risk on wireless communications.
- Require strong device and software process authentication for remote connections and API access where applicable.
Analyst notes and limits
The relationship context is important: T0860 is mitigated by Communication Authenticity, Minimize Wireless Signal Propagation, Encrypt Network Traffic, and Software Process and Device Authentication. It targets ICS asset types including Workstation and Field I/O, and is associated with the Maroochy Water Breach campaign in ATT&CK. The Lodz tram example in the MITRE description illustrates why signal replay and unauthorized wireless control can become a physical operations issue, but local risk depends on the organization’s actual wireless architecture.
MITRE does not provide official detection guidance, tactics, platforms, aliases, or labels for this technique in the supplied object. The technique platform field is empty, so platform-specific coverage should not be assumed. Any assessment of exposure or detection coverage requires local evidence: wireless inventories, RF measurements, control-system architecture, authentication/encryption implementation, and available OT/SOC telemetry.
Wireless Compromise
Adversaries may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network. Access to a wireless network may be gained through the compromise of a wireless device. [1] [2] Adversaries may also utilize radios and other wireless communication devices on the same frequency as the wireless network. Wireless compromise can be done as an initial access vector from a remote distance.
A Polish student used a modified TV remote controller to gain access to and control over the Lodz city tram system in Poland. [3] [4] The remote controller device allowed the student to interface with the trams network to modify track settings and override operator control. The adversary may have accomplished this by aligning the controller to the frequency and amplitude of IR control protocol signals. [5] The controller then enabled initial access to the network, allowing the capture and replay of tram signals. [3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
C0020: Maroochy Water Breach
Maroochy Water Breach was an incident in 2000 where an adversary leveraged the local government’s wastewater control system and stolen engineering equipment to disrupt and eventually release 800,000 liters of raw sewage into the local community.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 93df44b56d0a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Alexander Bolshev, Gleb Cherbov July 2014
Alexander Bolshev, Gleb Cherbov 2014, July 08 ICSCorsair: How I will PWN your ERP through 4-20 mA current loop Retrieved. 2020/01/05
Open source URL -
[2]
Alexander Bolshev March 2014
Alexander Bolshev 2014, March 11 S4x14: HART As An Attack Vector Retrieved November 17, 2024.
Open source URL -
[3]
John Bill May 2017
John Bill 2017, May 12 Hacked Cyber Security Railways Retrieved. 2019/10/17
Open source URL -
[4]
Shelley Smith February 2008
Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17
Open source URL -
[5]
Bruce Schneier January 2008
Bruce Schneier 2008, January 17 Hacking Polish Trams Retrieved. 2019/10/17
Open source URL -
[6]
mitre-attack T0860Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.