MITRE ATT&CK Technique
Impact T1495
Description

Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system.(Citation: Symantec Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices may include the motherboard, hard drive, or video cards. In general, adversaries may manipulate, overwrite, or corrupt firmware in order to deny the use of the system or devices. For example, corruption of firmware responsible for loading the operating system for network devices may render the network devices inoperable.(Citation: dhs_threat_to_net_devices)(Citation: cisa_malware_orgs_ukraine) Depending on the device, this attack may also result in [Data Destruction](https://attack.mitre.org/techniques/T1485).

Supported Platforms
Linux macOS Network Devices Windows
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2019-04-12T18:28:15.451Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may overwrite or corrupt the flash memory '
                'contents of system BIOS or other firmware in devices attached '
                'to a system in order to render them inoperable or unable to '
                'boot, thus denying the availability to use the devices and/or '
                'the system.(Citation: Symantec Chernobyl W95.CIH) Firmware is '
                'software that is loaded and executed from non-volatile memory '
                'on hardware devices in order to initialize and manage device '
                'functionality. These devices may include the motherboard, '
                'hard drive, or video cards.\n'
                '\n'
                'In general, adversaries may manipulate, overwrite, or corrupt '
                'firmware in order to deny the use of the system or devices. '
                'For example, corruption of firmware responsible for loading '
                'the operating system for network devices may render the '
                'network devices inoperable.(Citation: '
                'dhs_threat_to_net_devices)(Citation: '
                'cisa_malware_orgs_ukraine) Depending on the device, this '
                'attack may also result in [Data '
                'Destruction](https://attack.mitre.org/techniques/T1485). ',
 'external_references': [{'external_id': 'T1495',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1495'},
                         {'description': 'CISA. (2022, April 28). Alert '
                                         '(AA22-057A) Update: Destructive '
                                         'Malware Targeting Organizations in '
                                         'Ukraine. Retrieved July 29, 2022.',
                          'source_name': 'cisa_malware_orgs_ukraine',
                          'url': 'https://www.cisa.gov/uscert/ncas/alerts/aa22-057a'},
                         {'description': 'U.S. Department of Homeland '
                                         'Security. (2016, August 30). The '
                                         'Increasing Threat to Network '
                                         'Infrastructure Devices and '
                                         'Recommended Mitigations. Retrieved '
                                         'July 29, 2022.',
                          'source_name': 'dhs_threat_to_net_devices',
                          'url': 'https://cyber.dhs.gov/assets/report/ar-16-20173.pdf'},
                         {'description': 'Upham, K. (2014, March). Going Deep '
                                         'into the BIOS with MITRE Firmware '
                                         'Security Research. Retrieved January '
                                         '5, 2016.',
                          'source_name': 'MITRE Trustworthy Firmware '
                                         'Measurement',
                          'url': 'http://www.mitre.org/publications/project-stories/going-deep-into-the-bios-with-mitre-firmware-security-research'},
                         {'description': 'Yamamura, M. (2002, April 25). '
                                         'W95.CIH. Retrieved April 12, 2019.',
                          'source_name': 'Symantec Chernobyl W95.CIH',
                          'url': 'https://web.archive.org/web/20190508170055/https://www.symantec.com/security-center/writeup/2000-122010-2655-99'}],
 'id': 'attack-pattern--f5bb433e-bdf6-4781-84bc-35e97e43be89',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'impact'}],
 'modified': '2025-10-24T17:49:37.207Z',
 'name': 'Firmware Corruption',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_impact_type': ['Availability'],
 'x_mitre_is_subtechnique': False,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Linux', 'macOS', 'Network Devices', 'Windows'],
 'x_mitre_version': '1.3'}
Quick Actions
Edit TTP Update from Web
Back to TTPs
Dashboard About