Track Common Adversary Tasks Performed Using ACAD/Medre.A

Presented by: Ashwin (Microsoft Azure MVP)

ACAD/Medre.A is a worm that steals operational information. The worm collects AutoCAD files with drawings. ACAD/Medre.A has the capability to be used for industrial espionage.


MITRE ATT&CK® Matrix for Enterprise

Now, let's see the details around the series of events associated with this software in chronological order, and how we can work to mitigate or detect these threats.

Data from Information Repositories


ACAD/Medre.A collects information related to the AutoCAD application. The worm collects AutoCAD (*.dwg) files with drawings from information repositories.

Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of information repositories include reference databases or local machines in the process environment, as well as workstations and databases in the corporate network that might contain information about the ICS.  Information collected from these systems may provide the adversary with a better understanding of the operational environment, vendors used, processes, or procedures of the ICS. In a campaign between 2011 and 2013 against ONG organizations, Chinese state-sponsored actors searched document repositories for specific information such as, system manuals, remote terminal unit (RTU) sites, personnel lists, documents that included the string SCAD*, user credentials, and remote dial-up access information. (Citation: Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) July 2021)


Consider periodic reviews of accounts and privileges for critical and sensitive repositories.

Encrypt Sensitive Information

Information which is sensitive to the operation and architecture of the process environment may be encrypted to ensure confidentiality and restrict access to only those who need to know. 

Privileged Account Management

Minimize permissions and access for service accounts to limit the information that may be exposed or collected by malicious users or software. 

Restrict File and Directory Permissions

Protect files stored locally with proper permissions to limit opportunities for adversaries to interact and collect information from databases. 

User Account Management

Ensure users and user group have appropriate permissions for their roles through Identity and Access Management (IAM) controls to prevent misuse. Implement user accounts for each individual that may access the repositories for role enforcement and non-repudiation of actions.

User Training

Develop and publish policies that define acceptable information to be stored in repositories.

Monitoring the following activities in your Organization can help you detect this technique.

Application Log: Application Log Content

Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)

File: File Access

Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)

Logon Session: Logon Session Creation

Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)

Theft of Operational Information


ACAD/Medre.A can collect AutoCad files with drawings. These drawings may contain operational information.

Adversaries may steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations. This information may include design documents, schedules, rotational data, or similar artifacts that provide insight on operations. In the Bowman Dam incident, adversaries probed systems for operational data.

Data Loss Prevention

Apply DLP to protect the confidentiality of information related to operational processes, facility locations, device configurations, programs, or databases that may have information that can be used to infer organizational trade-secrets, recipes, and other intellectual property (IP).

Encrypt Sensitive Information

Encrypt any operational data with strong confidentiality requirements, including organizational trade-secrets, recipes, and other intellectual property (IP).

Operational Information Confidentiality

Example mitigations could include minimizing its distribution/storage or obfuscating the information (e.g., facility coverterms, codenames). In many cases this information may be necessary to support critical engineering, maintenance, or operational functions, therefore, it may not be feasible to implement.

Restrict File and Directory Permissions

Protect files stored locally with proper permissions to limit opportunities for adversaries to interact and collect information from databases.