Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T0862: Supply Chain Compromise

Adversaries may perform supply chain compromise to gain control systems environment access by means of infected products, software, and workflows. Supply chain compromise is the manipulation of products, such as devices or software, or their delivery mechanisms before receipt by the end consumer. Adversary compromise of these products and mechanisms is done for the goal of data or system compromise, once infected products are introduced to the target environment.

Supply chain compromise can occur at all stages of the supply chain, from manipulation of development tools and environments to manipulation of developed products and tools distribution mechanisms. This may involve the compromise and replacement of legitimate software and patches, such as on third party or vendor websites. Targeting of supply chain compromise can be done in attempts to infiltrate the environments of a specific audience. In control systems environments with assets in both the IT and OT networks, it is possible a supply chain compromise affecting the IT environment could enable further access to the OT environment.

Counterfeit devices may be introduced to the global supply chain posing safety and cyber risks to asset owners and operators. These devices may not meet the safety, engineering and manufacturing requirements of regulatory bodies but may feature tagging indicating conformance with industry standards. Due to the lack of adherence to standards and overall lesser quality, the counterfeit products may pose a serious safety and operational risk. [1]

Yokogawa identified instances in which their customers received counterfeit differential pressure transmitters using the Yokogawa logo. The counterfeit transmitters were nearly indistinguishable with a semblance of functionality and interface that mimics the genuine product. [1]

F-Secure Labs analyzed the approach the adversary used to compromise victim systems with Havex. [2] The adversary planted trojanized software installers available on legitimate ICS/SCADA vendor websites. After being downloaded, this software infected the host computer with a Remote Access Trojan (RAT).

ICST0862TechniqueObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Supply Chain Compromise matters because it can bypass many perimeter assumptions: a trusted vendor download, patch, device, or delivery process may be the path into an ICS environment. For executives and operations leaders, the practical issue is not only malware risk but confidence that installed control-system products, firmware, software, and components are genuine, intact, and sourced through trusted channels. The ATT&CK object also highlights counterfeit ICS devices as a safety and operational risk, making this relevant to both cyber resilience and physical process assurance.

Executive priority

Treat this as a governance and assurance problem, not only a SOC alerting problem. Leaders should ask whether procurement, engineering, OT operations, IT, and security can prove supplier trust, verify software and device integrity, and respond if a vendor package or component is later found to be compromised or counterfeit. Priority should be highest where compromised IT assets could enable access toward OT assets, or where HMIs, engineering workstations, controllers, gateways, VPN servers, jump hosts, firewalls, or safety-related devices depend on third-party software, firmware, or hardware.

Technical view

ATT&CK provides no official detection text for T0862, but the relationship context includes DET0730, Detection of Supply Chain Compromise, and multiple mitigations focused on supply chain management, code signing, auditing, vulnerability scanning, and software updates. SOC, detection, and IR teams should validate whether they can reconstruct the provenance and integrity of software installers, patches, firmware, device images, and newly introduced hardware across the ICS asset types targeted by this technique. Special attention should be paid to workstations, HMIs, application servers, control servers, data historians, jump hosts, VPN servers, data gateways, firewalls, controllers, PLCs, RTUs, IEDs, PACs, safety controllers, switches, and field I/O because the relationship set indicates broad potential target relevance across IT-like, embedded, and networked ICS assets.

Likely telemetry

  • Software installation and update records for ICS/SCADA applications, patches, and vendor tools
  • File integrity evidence such as hashes, digital signature verification results, and known-good baselines
  • Firmware, program, configuration, and device integrity check results, especially after reboots, downloads, or restarts
  • Asset inventory records linking devices and software to trusted suppliers and approved procurement paths
  • Vulnerability scan and audit findings for systems, permissions, insecure software, and insecure configurations where scanning is operationally acceptable

Detection direction

  • Validate DET0730-style coverage against the actual supply-chain workflow: procurement, download, staging, installation, commissioning, update, and maintenance.
  • Tune detections around integrity failures, unsigned or improperly signed binaries, unexpected installer behavior, unexpected firmware or configuration changes, and divergence from known-good device or software baselines.
  • Correlate technical telemetry with asset inventory and supplier records; a binary hash or device serial number is more useful when defenders know what should have been installed, from whom, and when.
  • Account for false positives from legitimate maintenance windows, emergency patches, engineering downloads, and vendor support activity by requiring change records and approved-source evidence.
  • Do not rely only on endpoint alerts. Counterfeit devices and manipulated firmware may require procurement evidence, device inspection, cryptographic verification, and engineering validation.

Mitigation priorities

  • Establish or validate a supply chain management program requiring trusted suppliers and integrity testing for devices and components, aligned to M0817.
  • Enforce code signing and digital signature verification for binaries and applications where supported, aligned to M0945.
  • Perform periodic audits and integrity checks of systems, permissions, software, configurations, firmware, programs, and device states, aligned to M0947.
  • Use vulnerability scanning to identify exploitable software weaknesses where scanning is safe for the ICS environment, aligned to M0916.
  • Maintain regular software updates while scheduling around operational downtime and OT change-control requirements, aligned to M0951.
Analyst notes and limits

The supplied ATT&CK object includes examples involving counterfeit Yokogawa differential pressure transmitters and trojanized ICS/SCADA vendor website installers associated with Havex reporting. It also includes a relationship showing Dragonfly uses this technique, but this take does not infer current activity or local exposure from that relationship alone. The strongest defensive value is in proving provenance, integrity, and change control across the full ICS supply chain rather than treating this as a single malware detection problem.

ATT&CK does not provide official detection text, tactics, or platforms for the technique itself. Platform detail is only available through related targeted ICS assets, so local asset architecture is required to determine where coverage applies. Detection and mitigation feasibility will vary by vendor support, operational downtime constraints, embedded device capabilities, and the organization’s procurement and engineering processes.

Official MITRE ATT&CK definition

Supply Chain Compromise

Adversaries may perform supply chain compromise to gain control systems environment access by means of infected products, software, and workflows. Supply chain compromise is the manipulation of products, such as devices or software, or their delivery mechanisms before receipt by the end consumer. Adversary compromise of these products and mechanisms is done for the goal of data or system compromise, once infected products are introduced to the target environment.

Supply chain compromise can occur at all stages of the supply chain, from manipulation of development tools and environments to manipulation of developed products and tools distribution mechanisms. This may involve the compromise and replacement of legitimate software and patches, such as on third party or vendor websites. Targeting of supply chain compromise can be done in attempts to infiltrate the environments of a specific audience. In control systems environments with assets in both the IT and OT networks, it is possible a supply chain compromise affecting the IT environment could enable further access to the OT environment.

Counterfeit devices may be introduced to the global supply chain posing safety and cyber risks to asset owners and operators. These devices may not meet the safety, engineering and manufacturing requirements of regulatory bodies but may feature tagging indicating conformance with industry standards. Due to the lack of adherence to standards and overall lesser quality, the counterfeit products may pose a serious safety and operational risk. [1]

Yokogawa identified instances in which their customers received counterfeit differential pressure transmitters using the Yokogawa logo. The counterfeit transmitters were nearly indistinguishable with a semblance of functionality and interface that mimics the genuine product. [1]

F-Secure Labs analyzed the approach the adversary used to compromise victim systems with Havex. [2] The adversary planted trojanized software installers available on legitimate ICS/SCADA vendor websites. After being downloaded, this software infected the host computer with a Remote Access Trojan (RAT).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Group ICS

G0035: Dragonfly

Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.[1][2] Active since at least 2010, Dragonfly has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.[3][4][5][6][7][8][9]

Relationship explorer

All related ATT&CK context

mitigates · Mitigation M0951: Update Software ICS mitigates · Mitigation M0947: Audit ICS targets · ICS Asset A0006: Data Historian ICS targets · ICS Asset A0004: Remote Terminal Unit (RTU) ICS targets · ICS Asset A0009: Data Gateway ICS targets · ICS Asset A0007: Control Server ICS targets · ICS Asset A0012: Jump Host ICS uses · Malware S0093: Backdoor.Oldrea ICS targets · ICS Asset A0016: Firewall ICS targets · ICS Asset A0008: Application Server ICS detects · Detection Strategy DET0730: Detection of Supply Chain Compromise ICS targets · ICS Asset A0018: Programmable Automation Controller (PAC) ICS uses · Group G0088: TEMP.Veles ICS targets · ICS Asset A0003: Programmable Logic Controller (PLC) ICS targets · ICS Asset A0011: Virtual Private Network (VPN) Server ICS mitigates · Mitigation M0916: Vulnerability Scanning ICS mitigates · Mitigation M0817: Supply Chain Management ICS targets · ICS Asset A0015: Switch ICS mitigates · Mitigation M0945: Code Signing ICS targets · ICS Asset A0001: Workstation ICS targets · ICS Asset A0017: Distributed Control System (DCS) Controller ICS targets · ICS Asset A0002: Human-Machine Interface (HMI) ICS targets · ICS Asset A0010: Safety Controller ICS uses · Group G0035: Dragonfly ICS
Mitigations

Mitigation direction

Mitigation ICS

M0951: Update Software

Perform regular software updates to mitigate exploitation risk. Software updates may need to be scheduled around operational down times.

Mitigation ICS

M0947: Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.

Mitigation ICS

M0817: Supply Chain Management

Implement a supply chain management program, including policies and procedures to ensure all devices and components originate from a trusted supplier and are tested to verify their integrity.

Mitigation ICS

M0945: Code Signing

Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
1d75d098a7b13c36...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 1d75d098a7b1…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Control Global May 2019

    Control Global 2019, May 29 Yokogawa announcement warns of counterfeit transmitters Retrieved. 2021/04/09

    Open source URL
  2. [2]
    Daavid Hentunen, Antti Tikkanen June 2014

    Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01

    Open source URL
  3. [3]
    mitre-attack T0862
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use