216.73.217.22

T1561.002: T1561.002

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:37 · Modified 15/04/2026 12:25

Essential information

MITRE technique ID
T1561.002
Confidence
100/100
Revoked
No
Published
16/12/2025 19:37
Modified
15/04/2026 12:25
Author / Source
The MITRE Corporation

Aliases

Disk Structure Wipe

Platforms

windows macos linux Network Devices

Description

Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources. Adversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) may be performed in isolation, or along with [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) if all sectors of a disk are wiped. On a network devices, adversaries may reformat the file system using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `format`.(Citation: format_cmd_cisco) To maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)

Kill chain phases

Kill chainPhase
mitre-attack impact

Marking (TLP)

TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (10)

  • BlackJack uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 06:41 · Modified 21/12/2025 06:41
  • Saint Bear uses UNC2589Bleeding Bear
    The MITRE Corporation Confidence 100

    [Saint Bear](https://attack.mitre.org/groups/G1031) is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool, …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • STARDUST CHOLLIMA uses NICKEL GLADSTONEBeagleBoyz
    The MITRE Corporation Confidence 100

    [APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33
  • Handala Hack (Void Manticore) uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/03/2026 11:51 · Modified 16/03/2026 11:51
  • Key Group uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 06:45 · Modified 21/12/2025 06:45
  • Multiple Iranian APT groups uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 04/03/2026 16:46 · Modified 04/03/2026 16:46
  • Lazarus Group uses HIDDEN COBRAGuardians of Peace
    The MITRE Corporation Confidence 100

    [Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • APT37 uses InkySquidGroup123
    The MITRE Corporation Confidence 100

    [APT37](https://attack.mitre.org/groups/G0067) is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14
  • Sandworm Team uses ELECTRUMTelebots
    The MITRE Corporation Confidence 100

    [Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • Void Manticore uses COBALT MYSTIQUEHandala Hack
    AlienVault Confidence 100

    [VOID MANTICORE](https://attack.mitre.org/groups/G1055) is a threat group assessed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS).(Citation: Check Point VOID MANTICORE Handala Hack March 2026) Active …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 04:51 · Modified 04/05/2026 16:33

Malware (44)

  • WhisperGate - S0689 uses
    Family
    Published 10/06/2025 18:09 · Modified 10/06/2025 18:09
  • Meteor - S0688
  • ShrinkLocker uses
    Family
    Published 17/09/2024 11:15 · Modified 17/09/2024 11:15
  • Filerase uses
    Family
    Published 04/03/2026 15:30 · Modified 04/03/2026 15:30
  • Shamoon - S0140 uses
    Family
    Published 04/03/2026 15:30 · Modified 04/03/2026 15:30
  • WhisperGate uses
    Family
    Published 09/09/2024 08:02 · Modified 09/09/2024 08:02
  • LockBit uses
    Family
    Published 06/05/2026 10:26 · Modified 06/05/2026 10:26
  • Hakuna Matata uses
    Family
    Published 02/10/2024 08:51 · Modified 02/10/2024 08:51
  • CaddyWiper
  • CaddyWiper - S0693 uses
    Family
    Published 30/01/2026 18:42 · Modified 30/01/2026 18:42
  • Handala Wiper uses
    Family
    Published 16/03/2026 10:24 · Modified 16/03/2026 10:24
  • StoneDrill
  • DEADWOOD
  • HermeticWiper uses
    Family
    Published 30/01/2026 18:42 · Modified 30/01/2026 18:42
  • Destover
  • ZeroCleare uses
    Family The MITRE Corporation Confidence 100

    [ZeroCleare](https://attack.mitre.org/software/S1151) is a wiper malware that has been used in conjunction with the [RawDisk](https://attack.mitre.org/software/S0364) driver since at least 2019 by suspected Iran-nexus threat actors including activity targeting the …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:37 · Modified 27/03/2026 01:05
  • SHAPESHIFT uses
    Family
    Published 04/03/2026 15:30 · Modified 04/03/2026 15:30
  • StoneDrill - S0380
  • Shamoon
  • Slam uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 21:56 · Modified 20/12/2025 21:56
  • IOCONTROL uses
    Family
    Published 04/03/2026 15:30 · Modified 04/03/2026 15:30
  • Xorist uses
    Family
    Published 02/10/2024 08:51 · Modified 02/10/2024 08:51
  • RuRansom uses
    Family
    Published 02/10/2024 08:51 · Modified 02/10/2024 08:51
  • Lotus Wiper uses
    Family
    Published 21/04/2026 12:09 · Modified 21/04/2026 12:09
  • IsraBye
  • Ordinypt
  • Apostle
  • UX-Cryptor uses
    Family
    Published 02/10/2024 08:51 · Modified 02/10/2024 08:51
  • Judge/NoCry uses
    Family
    Published 02/10/2024 08:51 · Modified 02/10/2024 08:51
  • IsaacWiper
  • RustyWater uses
    Family
    Published 04/03/2026 15:30 · Modified 04/03/2026 15:30
  • GhostFetch uses
    Family
    Published 04/03/2026 15:30 · Modified 04/03/2026 15:30
  • Petya
  • MultiLayer Wiper
  • SQLShred
  • Chaos - S0220 uses
    Family
    Published 09/10/2025 03:41 · Modified 09/10/2025 03:41
  • KillDisk - S0607
  • Annabelle uses
    Family
    Published 02/10/2024 08:51 · Modified 02/10/2024 08:51
  • Tickler uses
    Family
    Published 04/03/2026 15:30 · Modified 04/03/2026 15:30
  • njRAT - S0385 uses
    Family
    Published 16/09/2025 13:41 · Modified 16/09/2025 13:41
  • ZeroCleare - S1151 uses
    Family
    Published 04/03/2026 15:30 · Modified 04/03/2026 15:30
  • NJRat uses
    Family
    Published 05/03/2025 11:12 · Modified 05/03/2025 11:12
  • BFG Agonizer
  • KillDisk

Reports (4)

Vulnerabilities (CVE) (1)

CVE-2024-24919 KEV
8.6 High

Check Point Quantum Security Gateways contain an unspecified information disclosure vulnerability. The vulnerability potentially allows an attacker to access information on Gateways …

Attack vector
Network
Published
30/05/2024
Modified
04/03/2026
Received

Attack patterns (MITRE) (1)

  • T1561 subtechnique-of
    Disk Wipe

Tool (2)

  • RawDisk uses
    The MITRE Corporation Confidence 100

    [RawDisk](https://attack.mitre.org/software/S0364) is a legitimate commercial driver from the EldoS Corporation that is used for interacting with files, disks, and partitions. The driver allows for direct modification of data …

    Published 25/03/2019 13:30 · Modified 27/03/2026 01:07
  • Diskpart uses
    The MITRE Corporation Confidence 75

    [Diskpart](https://attack.mitre.org/software/S9002) is a Windows command-line utility that is used to manage the computer’s drives, which includes disks, partitions, volumes and virtual hard disks.(Citation: Microsoft_diskpart_Feb2023) Adversaries may abuse [Diskpart](https://attack.mitre.org/software/S9002) …

    Published 26/01/2026 19:36 · Modified 04/05/2026 16:31

Campaign (1)

  • HomeLand Justice uses

Course Of Action (1)

  • Data Backup mitigates