T1474.002: Compromise Hardware Supply Chain

Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system.

MobileT1474.002Sub-techniqueObject v1.1 Modified Oct 24, 2025, 17:49 UTC (UTC+00:00)

This technique matters because the compromise can be introduced before a mobile device reaches the organization. If hardware or firmware is manipulated in the supply chain, the resulting backdoor may be difficult for normal endpoint monitoring to see and may give an adversary strong control over Android or iOS systems once they are trusted on enterprise networks.

Executive priority

Treat this as a procurement, mobile security, and resilience risk rather than only a SOC detection problem. Leaders should ask whether mobile device sourcing, vendor update commitments, decommissioning rules, and access controls for unpatched devices are documented and enforceable. The business decision is whether devices of uncertain provenance or unsupported patch status should be allowed to access enterprise resources.

Technical view

ATT&CK provides no official detection text for this sub-technique, but it is related to detection strategy DET0604 and mitigation M1001 Security Updates. SOC, IR, and mobile security teams should validate whether Android and iOS device inventory, ownership/provenance, firmware/OS version, security patch level, update status, and enterprise access decisions are observable. Because the compromise may exist below the application layer, teams should not rely only on app telemetry or user-reported symptoms.

Likely telemetry

Mobile device inventory and enrollment records
Procurement, receiving, and device provenance records
MDM/UEM compliance status for Android and iOS devices
Firmware, OS version, and security patch level data
Enterprise access logs showing devices allowed or blocked based on compliance posture

Detection direction

Review the related DET0604 detection strategy if available in the local ATT&CK content set; the official technique object itself does not provide detection detail.
Validate that detection coverage includes device integrity and compliance posture, not only mobile application behavior.
Tune monitoring around deviations from expected device models, OS or firmware versions, patch levels, and enrollment/procurement records.
Correlate mobile access logs with device provenance and patch status to identify devices that should not be trusted for enterprise access.
Account for false positives from normal device replacement, carrier/vendor update delays, refurbishment, and incomplete asset records.

Mitigation priorities

Prioritize purchasing devices from vendors and mobile carriers with clear commitments to prompt security updates for a defined support period.
Use M1001-aligned policy: install security updates, track patch levels, and decommission devices that no longer receive updates.
Limit or block enterprise access from devices that have not installed recent security updates, including Android controls based on security patch level where applicable.
Maintain procurement and asset records that allow security teams to distinguish approved devices from devices of uncertain origin.
Include mobile supply chain scenarios in incident response and compliance evidence planning, especially where mobile devices access sensitive enterprise resources.

Analyst notes and limits

This is a mobile ATT&CK sub-technique under Supply Chain Compromise and applies to Android and iOS. The supplied description emphasizes manipulation of hardware or firmware before receipt by the final consumer, which makes prevention, procurement assurance, update policy, and access governance especially important. The NIST Mobile Threat Catalogue references indicate a broader mobile supply-chain concern, but the provided fields do not include detailed detection logic or incident examples.

The official ATT&CK object does not specify tactics and provides no detection text. The supplied relationship to DET0604 names a detection strategy but does not include its detection content. Local device management data, procurement records, and access-control architecture are required to determine actual exposure or coverage. No active exploitation, attribution, or guaranteed detection is implied.

Official MITRE ATT&CK definition

Compromise Hardware Supply Chain

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Mobile	T1474	Supply Chain Compromise	This object subtechnique of Supply Chain Compromise.

Relationship explorer

All related ATT&CK context

subtechnique of · Technique T1474: Supply Chain Compromise Mobile detects · Detection Strategy DET0604: Detection of Compromise Hardware Supply Chain Mobile mitigates · Mitigation M1001: Security Updates Mobile

Mitigations

Mitigation direction

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.1
Created: Mar 28, 2022, 19:30 UTC (UTC+00:00)
Modified: Oct 24, 2025, 17:49 UTC (UTC+00:00)
Raw hash: 5fda5ad245776e3d...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.1	Oct 24, 2025, 17:49 UTC (UTC+00:00)	Current bundle	`5fda5ad24577…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
NIST Mobile Threat Catalogue SPC-1
Open source URL
[2]
NIST Mobile Threat Catalogue SPC-13
Open source URL
[3]
NIST Mobile Threat Catalogue SPC-16
Open source URL
[4]
NIST Mobile Threat Catalogue SPC-17
Open source URL
[5]
NIST Mobile Threat Catalogue SPC-2
Open source URL
[6]
NIST Mobile Threat Catalogue SPC-21
Open source URL
[7]
NIST Mobile Threat Catalogue SPC-4
Open source URL
[8]
NIST Mobile Threat Catalogue SPC-5
Open source URL
[9]
NIST Mobile Threat Catalogue SPC-6
Open source URL
[10]
NIST Mobile Threat Catalogue SPC-7
Open source URL
[11]
NIST Mobile Threat Catalogue SPC-8
Open source URL
[12]
mitre-attack T1474.002
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use