T0879: Damage to Property
Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in Loss of Safety. Operations that result in Loss of Control may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of Loss of Productivity and Revenue.
The German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill under an incidents affecting business section of its 2014 IT Security Report. [1] These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact and damage resulted from the uncontrolled shutdown of a blast furnace.
A Polish student used a remote controller device to interface with the Lodz city tram system in Poland. [2] [3] [4] Using this remote, the student was able to capture and replay legitimate tram signals. This resulted in damage to impacted trams, people, and the surrounding property. Reportedly, four trams were derailed and were forced to make emergency stops. [3] Commands issued by the student may have also resulted in tram collisions, causing harm to those on board and the environment outside. [4]
Analyst context for executives and security teams
Damage to Property is an ICS impact technique where cyber activity against control systems can translate into physical harm to equipment, infrastructure, people, or the surrounding environment. For leaders, the decision value is that this is not only an IT incident category; it can become an operational resilience, safety, environmental, revenue, and regulatory evidence problem. The ATT&CK examples include industrial equipment breakdown from a steel mill incident and tram system interference that caused derailments and damage.
Executive priority
Prioritize this behavior wherever control systems support safety-critical, production-critical, transportation, utility, or environmental processes. Executives should ask whether cyber incident plans, safety systems, engineering escalation paths, and business continuity plans are integrated enough to make fast shutdown, isolation, recovery, and reporting decisions. Budget and audit discussions should focus on whether mechanical protection layers, Safety Instrumented Systems, and network allowlists are actually designed, segmented, tested, and evidenced for scenarios that could cause physical damage.
Technical view
SOC, OT security, and incident response teams should treat this as a consequence-focused ICS technique rather than a single detectable command or platform-specific behavior. ATT&CK provides no official detection text and no platforms or tactics for this object, so local engineering context is essential. Validate whether DET0762, Detection of Damage to Property, is mapped into monitoring use cases, and correlate cyber indicators with operational evidence such as abnormal control states, equipment faults, alarms, safety system actions, unexpected shutdowns, and physical inspection results. Relationship context also supports reviewing mitigations M0805 Mechanical Protection Layers, M0807 Network Allowlists, and M0812 Safety Instrumented Systems.
Likely telemetry
- Control system alarms, events, and operator actions from OT monitoring systems
- Historian or process data showing abnormal operating conditions, shutdowns, or equipment stress
- PLC, controller, engineering workstation, and HMI logs where available
- Network traffic records for ICS segments, especially allowed or unexpected device-to-device connections
- Safety Instrumented System events, trips, sensor states, and logic solver/final control element actions where available
Detection direction
- Because ATT&CK does not provide official detection guidance for T0879, validate detections against site-specific hazardous scenarios and engineering-defined damage thresholds.
- Correlate cyber telemetry with physical process evidence; do not rely only on IT alerts to identify property damage outcomes.
- Tune for abnormal control states, forced or uncontrolled shutdowns, repeated equipment faults, unexpected safety system actions, and anomalous ICS network communications that precede or coincide with damage indicators.
- Account for false positives from maintenance, testing, emergency shutdowns, storms, equipment aging, or operator-approved process changes.
- Use the relationship to DET0762 as a prompt to document what evidence would prove or disprove Damage to Property in each facility, including who confirms physical damage and when IR escalates to safety or operations leadership.
Mitigation priorities
- Start with engineering-led hazard analysis for processes where cyber activity could cause property damage, safety loss, environmental release, or revenue-impacting shutdown.
- Implement and periodically test Mechanical Protection Layers such as interlocks, rupture disks, release valves, or other physical/mechanical protections where appropriate.
- Use Safety Instrumented Systems as an additional protection layer for hazard scenarios and ensure they are segmented from operational networks as described in the ATT&CK mitigation relationship.
- Apply Network Allowlists to restrict which devices, addresses, ports, protocols, and connections are permitted in relevant ICS environments.
- Integrate cyber incident response with operations, safety, maintenance, and environmental response procedures so teams can preserve evidence while prioritizing human safety and process stabilization.
Analyst notes and limits
This object is material because it connects cyber activity to real-world physical consequences. The supplied relationships show that Damage to Property can be mitigated through mechanical protection layers, network allowlists, and Safety Instrumented Systems, and that it is associated with a detection strategy. The campaign relationship to the Maroochy Water Breach reinforces that ICS incidents can result in environmental and community impact, but this take does not infer current exploitation or customer exposure.
ATT&CK supplies no official detection text, no platforms, and no tactics for this technique. The practical detection and control approach must therefore be tailored to the specific industrial process, safety case, telemetry maturity, and engineering constraints of each environment. The cited incidents are historical examples and should not be treated as evidence of active exploitation.
Damage to Property
Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in Loss of Safety. Operations that result in Loss of Control may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of Loss of Productivity and Revenue.
The German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill under an incidents affecting business section of its 2014 IT Security Report. [1] These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact and damage resulted from the uncontrolled shutdown of a blast furnace.
A Polish student used a remote controller device to interface with the Lodz city tram system in Poland. [2] [3] [4] Using this remote, the student was able to capture and replay legitimate tram signals. This resulted in damage to impacted trams, people, and the surrounding property. Reportedly, four trams were derailed and were forced to make emergency stops. [3] Commands issued by the student may have also resulted in tram collisions, causing harm to those on board and the environment outside. [4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
C0020: Maroochy Water Breach
Maroochy Water Breach was an incident in 2000 where an adversary leveraged the local government’s wastewater control system and stolen engineering equipment to disrupt and eventually release 800,000 liters of raw sewage into the local community.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 8f1f2e5d5f37… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
BSI State of IT Security 2014
Bundesamt fr Sicherheit in der Informationstechnik (BSI) (German Federal Office for Information Security) 2014 Die Lage der IT-Sicherheit in Deutschland 2014 (The State of IT Security in Germany) Retrieved. 2019/10/30
Open source URL -
[2]
John Bill May 2017
John Bill 2017, May 12 Hacked Cyber Security Railways Retrieved. 2019/10/17
Open source URL -
[3]
Shelley Smith February 2008
Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17
Open source URL -
[4]
Bruce Schneier January 2008
Bruce Schneier 2008, January 17 Hacking Polish Trams Retrieved. 2019/10/17
Open source URL -
[5]
mitre-attack T0879Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.