Impact – MITRE ATTACK (Tactic TA0040)

CyberDefender 7 mins0

MITRE ATT&CK – Impact (Tactic TA0040)

The Impact tactic represents an adversary’s end-goal actions — the operations they perform to disrupt, degrade, destroy, manipulate, or exfiltrate data, systems, or business operations.
While earlier tactics focus on gaining access and maintaining control, Impact is where attackers cause actual harm to the victim organization.

Impact techniques often appear in:

  • Ransomware attacks
  • Data destruction campaigns
  • Hack-and-leak operations
  • Disruptive/denial attacks
  • Cyber-physical and ICS attacks

Why Impact Matters

Understanding Impact techniques helps defenders:

  1. Identify the attacker’s end goal
  2. Prioritize incident response
  3. Design controls that limit damage, not just prevent intrusion
  4. Detect destructive actions before irreversible damage happens

Major Impact Techniques (Technical Breakdown)

Below are the most common Impact techniques in MITRE ATT&CK with clear explanations.

1. Data Destruction (T1485)

Attackers delete or overwrite files, partitions, or disks to make systems unusable.

How it’s done:

  • Using OS commands: rm -rf /, del /F /Q /S *
  • Overwriting sectors with tools like shred, sdelete
  • Dropping wiper malware (e.g., Shamoon, NotPetya)

Result:

  • Permanent loss of data
  • Requires restoration from backups or rebuilds

2. Data Encryption for Impact (T1486)

Used heavily by ransomware operators.

How it works:

  • Attacker encrypts files using symmetric keys (AES)
  • Keys are then encrypted using attacker’s public key (RSA)
  • Victim receives ransom note demanding payment for decryption

Effects:

  • Systems remain functional, but data becomes inaccessible
  • Business operations stop until restored

3. Data Manipulation (T1565)

Instead of deleting or encrypting data, attackers change its content, causing integrity loss.

Forms of manipulation:

  • Stored data modification (e.g., changing financial records)
  • Transmitted data manipulation (MITM attacks)
  • Runtime data manipulation (altering values in memory)

Risk:

  • Hard to detect because systems continue running normally
  • Can lead to inaccurate analytics or fraud

4. Defacement (T1491)

Visible modification of web pages, applications, or digital content.

Technical means:

  • Replacing website index files
  • Injecting malicious JavaScript
  • Changing UI text/images in ICS or monitoring dashboards

Purpose:

  • Psychological impact
  • Political messaging
  • Reputation damage for the victim

5. Disk Wipe / Disk Structure Corruption (T1561)

Attackers corrupt boot records, partitions, or file systems.

Techniques:

  • Overwriting Master Boot Record (MBR)
  • Tampering with GUID Partition Table (GPT)
  • Dropping wipers like KillDisk

Consequence:

A system that won’t boot and requires reinstallation.

6. Denial of Service (T1498 / T1499)

Attackers disrupt availability by overwhelming services.

Two types:

Network DoS (T1498)

  • Large traffic floods (UDP, TCP SYN)
  • Amplification attacks (DNS, NTP)

Application/Host DoS (T1499)

  • Consuming CPU/memory
  • Exploiting bugs to crash services
  • Fork bombs or resource exhaustion scripts

Purpose:

  • Disrupt business operations
  • Conceal other malicious activity (distraction)

7. Resource Hijacking (T1496)

Using victim resources for attacker benefit.

Common examples:

  • Cryptomining malware (CPU/GPU mining)
  • Using victim infrastructure for DDoS or botnets
  • Consuming cloud instances to generate cost spikes

Indicators:

  • High resource usage
  • Unexpected cloud billing increases

8. Account Access Removal (T1531)

Attackers remove or lock out valid user accounts.

Techniques:

  • Changing passwords or MFA settings
  • Deleting admin accounts
  • Revoking access tokens in cloud platforms

Objective:

  • Cause operational disruption
  • Slow down or prevent incident response

9. Service Stop (T1489)

Attackers disable critical system or security services.

Targets include:

  • Backup services
  • Antivirus/EDR
  • Database services
  • ICS safety controllers

Tools:

  • sc stop on Windows
  • systemctl stop on Linux

Impact:

  • System becomes vulnerable or unusable

Putting It All Together – Attack Flow Example

A real-world attack may follow this pattern:

  1. Initial Access – phishing
  2. Privilege Escalation – exploit or credential theft
  3. Lateral Movement – RDP, SMB
  4. Data Collection and Exfiltration
  5. Impact – ransomware encrypts files (T1486), backup services stopped (T1489), shadow copies deleted (T1561)

This is where business damage occurs.

Key Defenses Against Impact Techniques

Technical recommendations:

  • Immutable backups and offline storage
  • Application whitelisting
  • EDR/anti-ransomware behavior detection
  • Network segmentation
  • Privileged access management
  • Disk protection (SecureBoot, MBR/GPT protection)
  • Logging integrity mechanisms
  • Rate-limiting and DDoS protection

Process-level defenses:

  • Incident response playbooks
  • Regular backup testing
  • Business continuity planning

Summary (Simple)

Impact = The attacker’s final actions that cause real harm.
This includes encrypting data, destroying systems, leaking data, defacing websites, causing downtime, or manipulating information.

CyberDefender