Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1491.002: External Defacement

An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. External Defacement may ultimately cause users to distrust the systems and to question/discredit the system’s integrity. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda.[1][2][3] External Defacement may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as Drive-by Compromise.[4]

EnterpriseT1491.002Sub-techniqueObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

External Defacement is an impact behavior where an adversary changes public-facing content, commonly websites, to deliver messaging, intimidate, mislead users, or undermine trust in the organization’s integrity. For leaders, the practical issue is not only website restoration; it is reputational confidence, customer communications, incident decision-making, and whether the same access could be used as a precursor to other activity such as Drive-by Compromise.

Executive priority

Treat this as a business-continuity and trust-risk scenario for externally visible systems across Windows, Linux, macOS, and IaaS environments. Executives should ask whether public web properties have tested recovery paths, whether communications and incident response roles are pre-defined, and whether backup evidence is audit-ready. Because ATT&CK links Data Backup as a mitigation, recovery assurance should be prioritized alongside detection and public-facing asset governance.

Technical view

ATT&CK provides no official detection text for T1491.002, but the relationship to DET0590 indicates a behavioral detection strategy for external website defacement across platforms. SOC and IR teams should validate monitoring for unauthorized changes to externally served content, unusual web server or IaaS-hosted asset modification activity, and integrity deviations from known-good public content. Analysts should also correlate defacement with broader impact activity under T1491 and consider whether altered content could support follow-on Drive-by Compromise, as noted in the official description.

Likely telemetry

  • Public website content integrity monitoring or known-good baseline comparison
  • Web server access logs and administrative activity logs
  • File integrity monitoring for externally served web directories or application content
  • IaaS audit logs for changes to hosted web assets, storage objects, images, or deployment pipelines
  • Web application, CMS, and publishing workflow logs where applicable

Detection direction

  • Validate whether DET0590-style behavioral monitoring is implemented for external website content changes, not only infrastructure availability.
  • Tune alerts to distinguish authorized publishing, planned releases, and maintenance from unexpected visual or content replacement.
  • Correlate content changes with administrative logins, deployment events, web server writes, and IaaS control-plane activity.
  • Check blind spots around third-party-hosted sites, cloud storage-backed static sites, content delivery paths, and unmanaged public web properties.
  • Because no official ATT&CK detection text is provided, require local baselines and asset ownership data before judging coverage.

Mitigation priorities

  • Prioritize reliable Data Backup for critical externally facing systems, consistent with ATT&CK mitigation M1053.
  • Keep backups hardened, securely stored, and isolated enough to remain usable during an active incident.
  • Test restoration of public-facing content and supporting infrastructure so recovery is measured in operational terms, not just backup existence.
  • Maintain authoritative inventories of external web properties and owners so defacement reports can be triaged quickly.
  • Prepare incident communications and validation procedures to restore user trust after public content integrity is affected.
Analyst notes and limits

Relationship context shows this sub-technique belongs to Defacement under the impact tactic and is used by Sandworm Team and Ember Bear in ATT&CK. That relationship is useful for threat intelligence enrichment, but it should not be treated as attribution in a local incident without supporting evidence. The object is especially relevant for organizations with public-facing websites, cloud-hosted content, or politically sensitive public presence.

The official ATT&CK object does not provide detection guidance, and the supplied fields do not identify specific vulnerabilities, tools, procedures, or active exploitation. Local asset inventory, hosting architecture, publishing workflow, and logging coverage are required to determine exposure and detection quality.

Official MITRE ATT&CK definition

External Defacement

An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. External Defacement may ultimately cause users to distrust the systems and to question/discredit the system’s integrity. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda.[1][2][3] External Defacement may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as Drive-by Compromise.[4]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1491 Defacement This object subtechnique of Defacement.
Associated objects

Groups, software, and campaigns

Group Enterprise

G1003: Ember Bear

Ember Bear is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).[1] Ember Bear has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas.[2] Ember Bear conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022.[3][4][1] There is some confusion as to whether Ember Bear overlaps with another Russian-linked entity referred to as Saint Bear. At present available evidence strongly suggests these are distinct activities with different behavioral profiles.[2][5]

Group Enterprise

G0034: Sandworm Team

Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]

In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]

Relationship explorer

All related ATT&CK context

subtechnique of · Technique T1491: Defacement Enterprise uses · Group G1003: Ember Bear Enterprise uses · Group G0034: Sandworm Team Enterprise detects · Detection Strategy DET0590: Behavioral Detection of External Website Defacement across Platforms Enterprise mitigates · Mitigation M1053: Data Backup Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1053: Data Backup

Data Backup involves taking and securely storing backups of data from end-user systems and critical servers. It ensures that data remains available in the event of system compromise, ransomware attacks, or other disruptions. Backup processes should include hardening backup systems, implementing secure storage solutions, and keeping backups isolated from the corporate network to prevent compromise during active incidents. This mitigation can be implemented through the following measures:

Regular Backup Scheduling: - Use Case: Ensure timely and consistent backups of critical data. - Implementation: Schedule daily incremental backups and weekly full backups for all critical servers and systems.

Immutable Backups: - Use Case: Protect backups from modification or deletion, even by attackers. - Implementation: Use write-once-read-many (WORM) storage for backups, preventing ransomware from encrypting or deleting backup files.

Backup Encryption: - Use Case: Protect data integrity and confidentiality during transit and storage. - Implementation: Encrypt backups using strong encryption protocols (e.g., AES-256) before storing them in local, cloud, or remote locations.

Offsite Backup Storage: - Use Case: Ensure data availability during physical disasters or onsite breaches. - Implementation: Use cloud-based solutions like AWS S3, Azure Backup, or physical offsite storage to maintain a copy of critical data.

Backup Testing: - Use Case: Validate backup integrity and ensure recoverability. - Implementation: Regularly test data restoration processes to ensure that backups are not corrupted and can be recovered quickly.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
5d989e830844a463...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle 5d989e830844…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    FireEye Cyber Threats to Media Industries

    FireEye. (n.d.). Retrieved November 17, 2024.

    Open source URL
  2. [2]
    Kevin Mandia Statement to US Senate Committee on Intelligence

    Kevin Mandia. (2017, March 30). Prepared Statement of Kevin Mandia, CEO of FireEye, Inc. before the United States Senate Select Committee on Intelligence. Retrieved April 19, 2019.

    Open source URL
  3. [3]
    Anonymous Hackers Deface Russian Govt Site

    Andy. (2018, May 12). ‘Anonymous’ Hackers Deface Russian Govt. Site to Protest Web-Blocking (NSFW). Retrieved April 19, 2019.

    Open source URL
  4. [4]
    Trend Micro Deep Dive Into Defacement

    Marco Balduzzi, Ryan Flores, Lion Gu, Federico Maggi, Vincenzo Ciancaglini, Roel Reyes, Akira Urano. (n.d.). A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks. Retrieved April 19, 2019.

    Open source URL
  5. [5]
    mitre-attack T1491.002
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use