TID-301: Applications Binaries Modified
Threat Description
A threat actor could modify application-level binaries or libraries on the device to introduce unauthorized code, maintain persistence, or evade detection. This could also include the modification of runtime libraries used to support the execution of programs, along with key PLC function blocks used to structure the execution of application function blocks, such as organizational blocks.
Threat Maturity and Evidence
Observed Adversarial Technique
ATT&CK Technique: Modify Controller Tasking (T0821)
Procedure Example: Stuxnet (S0603)
“Stuxnet infects OB1 so that its malicious code sequence is executed at the start of a cycle. It also infects OB35. OB35 acts as a watchdog, and on certain conditions, it can stop the execution of OB1.”
CWE
CWE-862: Missing Authorization
“The product does not perform an authorization check when an actor attempts to access a resource or perform an action.”