Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T0882: Theft of Operational Information

Adversaries may steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations. This information may include design documents, schedules, rotational data, or similar artifacts that provide insight on operations. In the Bowman Dam incident, adversaries probed systems for operational data. [1] [2]

ICST0882TechniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Theft of Operational Information is an ICS-focused behavior where an adversary seeks production-environment knowledge such as design documents, schedules, rotational data, engineering plans, device or process information, and other artifacts that explain how operations work. For leaders, the risk is not only data loss: this information can improve an adversary’s ability to plan later disruption, espionage, extortion, or targeted intrusion against operational environments.

Executive priority

Treat this as a business-continuity and intellectual-property protection issue, not just an IT data-leak problem. Executives should ask whether operational documents, process telemetry, engineering files, facility information, and configuration data are classified, access-controlled, encrypted where appropriate, and monitored for unusual movement. This technique is especially relevant to OT/ICS risk governance because ATT&CK links it to operational confidentiality controls, DLP, file-permission restrictions, and encryption of sensitive information.

Technical view

ATT&CK provides no platform, tactic, or native detection text for T0882, so SOC and IR teams should validate coverage around the data classes and repositories that hold operational information. Relationship context points defenders toward DET0732 for detection strategy and mitigations M0803, M0809, M0922, and M0941. Practical validation should include whether DLP or equivalent controls can identify attempts to move engineering plans, trade secrets, recipes, IP, process telemetry, AutoCAD-style drawings, schedules, rotational data, device configurations, programs, and operational databases through email, web, network paths, host agents, or physical media where those channels are in scope.

Likely telemetry

  • File access and modification logs for repositories containing operational documents, engineering files, configurations, programs, schedules, and process data
  • DLP alerts or content inspection logs for operational information moving through email, web, network egress, endpoint agents, or removable media where deployed
  • Authentication and authorization logs for access to sensitive OT/ICS document stores and file shares
  • File and directory permission audit evidence for sensitive operational information repositories
  • Encryption and key-management evidence for sensitive data-at-rest

Detection direction

  • Inventory the specific information types that would materially help an adversary understand operations, then map where they reside and which logs prove access or movement.
  • Validate DET0732-related detection content, if available locally, against realistic business workflows so normal engineering, maintenance, and vendor activity is not mistaken for theft.
  • Tune for unusual access volume, unusual destinations, atypical users, after-hours retrieval, bulk reads, archive creation, and transfers from repositories containing operational information.
  • Account for blind spots: ATT&CK supplies no official detection text, tactics, or platforms for this object, so coverage depends heavily on local data classification, logging, DLP deployment, and OT/IT architecture.
  • Use relationship context carefully: ATT&CK associates this behavior with software such as Duqu, Flame, REvil, and ACAD/Medre.A and campaign C0063, but those relationships should guide threat-informed hunting rather than be treated as proof of local activity.

Mitigation priorities

  • Start with operational information confidentiality: identify sensitive operational files, databases, configurations, programs, facility information, and process artifacts, then define handling and access rules.
  • Restrict file and directory permissions so access is limited to users and roles with a legitimate operational need.
  • Encrypt sensitive information at rest where feasible, especially repositories containing high-value operational designs, configurations, or IP.
  • Deploy or tune DLP capabilities to identify and, where appropriate, prevent transfer of operational information through corporate channels such as email, web, network egress, endpoint paths, and physical media.
  • Review whether mitigation evidence can support audit, compliance, and incident-response decision-making, including who accessed what, when, and whether transfer controls acted as expected.
Analyst notes and limits

The Bowman Dam references in the ATT&CK description illustrate adversary interest in probing for operational data. The strongest defensive value is to define what counts as operationally sensitive information in the local environment and then prove access control, encryption, DLP, and monitoring coverage around it.

The supplied ATT&CK object has no official detection text, no platforms, and no tactics specified. Telemetry and controls above are inferred from the official description and mitigation relationships, so local validation is required before asserting coverage or risk exposure.

Official MITRE ATT&CK definition

Theft of Operational Information

Adversaries may steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations. This information may include design documents, schedules, rotational data, or similar artifacts that provide insight on operations. In the Bowman Dam incident, adversaries probed systems for operational data. [1] [2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Malware ICS

S0496: REvil

REvil is a ransomware family that has been linked to the GOLD SOUTHFIELD group and operated as ransomware-as-a-service (RaaS) since at least April 2019. REvil, which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.[1][2][3]

Windows
Malware ICS

S0038: Duqu

Duqu is a malware platform that uses a modular approach to extend functionality after deployment within a target network. [1]

Windows
Malware ICS

S0143: Flame

Flame is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. [1]

Windows
Campaign ICS

C0063: 2025 Poland Wiper Attacks

2025 Poland Wiper Attacks is a Russian state-sponsored campaign that conducted destructive cyberattacks against Polish energy infrastructure in December 2025. Targets included more than 30 wind and photovoltaic farms, a combined heat and power (CHP) plant, and a manufacturing sector company. The attacks on the distributed energy resources (DER) disrupted communications between affected facilities and the distribution system operator, but did not impact electricity generation or heat supply. Across the campaign, threat actors deployed two previously undocumented wiper tools, DynoWiper, a Windows-based wiper and LazyWiper, a PowerShell wiper, distributed via malicious Group Policy Objects. At the CHP plant, threat actors had maintained access since at least March 2025, using that foothold to obtain credentials and move laterally before attempting wiper deployment. Some reporting has assessed the activity to be consistent with Russian Federal Security Service (FSB) threat activity group Dragonfly, also tracked as STATIC TUNDRA, while other reporting attributes the destructive wiper activities to the Russian General Staff Main Intelligence Directorate (GRU) threat activity group ELECTRUM, also tracked as Sandworm Team.[1][2][3][4]

Relationship explorer

All related ATT&CK context

uses · Malware S1000: ACAD/Medre.A ICS mitigates · Mitigation M0922: Restrict File and Directory Permissions ICS mitigates · Mitigation M0809: Operational Information Confidentiality ICS uses · Malware S0496: REvil ICS uses · Malware S0038: Duqu ICS uses · Malware S0143: Flame ICS detects · Detection Strategy DET0732: Detection of Theft of Operational Information ICS mitigates · Mitigation M0803: Data Loss Prevention ICS mitigates · Mitigation M0941: Encrypt Sensitive Information ICS uses · Campaign C0063: 2025 Poland Wiper Attacks ICS
Mitigations

Mitigation direction

Mitigation ICS

M0809: Operational Information Confidentiality

Deploy mechanisms to protect the confidentiality of information related to operational processes, facility locations, device configurations, programs, or databases that may have information that can be used to infer organizational trade-secrets, recipes, and other intellectual property (IP).

Mitigation ICS

M0803: Data Loss Prevention

Data Loss Prevention (DLP) technologies can be used to help identify adversarial attempts to exfiltrate operational information, such as engineering plans, trade secrets, recipes, intellectual property, or process telemetry. DLP functionality may be built into other security products such as firewalls or standalone suites running on the network and host-based agents. DLP may be configured to prevent the transfer of information through corporate resources such as email, web, and physical media such as USB for host-based solutions.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
82c6d3e3eccb6de5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 82c6d3e3eccb…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Mark Thompson March 2016

    Mark Thompson 2016, March 24 Iranian Cyber Attack on New York Dam Shows Future of War Retrieved. 2019/11/07

    Open source URL
  2. [2]
    Danny Yadron December 2015

    Danny Yadron 2015, December 20 Iranian Hackers Infiltrated New York Dam in 2013 Retrieved. 2019/11/07

    Open source URL
  3. [3]
    mitre-attack T0882
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use