Elementary Threat · BSI IT-Grundschutz

G 0.21 — Manipulation of Hardware or Software

Updated on 17 April 2026 4 min Reviewed by: Cenedril Editorial

A.5.9A.5.14A.5.15A.5.24A.5.25A.5.28A.5.29A.6.6A.6.7A.7.2A.7.7A.7.8A.7.9A.7.10A.7.13A.8.1A.8.2A.8.7A.8.12A.8.15A.8.16A.8.17A.8.18A.8.20A.8.21A.8.23A.8.24A.8.27A.8.31 BSI IT-GrundschutzISO 27001ISO 27002

At a financial company, an employee manipulates the transaction software. The change is subtle: for certain transfers, cent amounts are redirected to a third-party account. Over months the small amounts sum to a six-figure total — and the manipulation remains undetected because nobody regularly checks the integrity of the software.

Manipulation of hardware or software covers every targeted, covert intervention aimed at altering systems unnoticed. The BSI lists this threat as G 0.21. Motives range from revenge and sabotage to personal enrichment.

What’s behind it?

Manipulation is the covert, targeted intervention in a system aimed at altering its behaviour unnoticed. The decisive element is covertness: the manipulator wants the change to remain undetected for as long as possible. The deeper the perpetrator’s knowledge of the system, the more subtle and effective the manipulation can be.

Forms of manipulation

Hardware manipulation — installing hardware keyloggers between keyboard and computer, replacing network components with manipulated versions, installing skimming devices at ATMs or card readers.
Software manipulation — injecting backdoors into applications, altering configuration files, manipulating database stored procedures, installing covert remote access tools.
Firmware manipulation — altering the firmware of network devices, hard drive controllers or BIOS/UEFI. Particularly persistent because firmware changes survive operating system reinstallations.
Supply chain manipulation — interventions in the supply chain: hardware is manipulated before shipment, software libraries are laced with malicious code.

Impact

Manipulations can affect all three protection goals. The later the manipulation is detected, the more severe the consequences. Manipulated accounting software can deliver false results over months before the error is noticed. A backdoor in a server can enable unnoticed access for years. Manipulated industrial controls can cause physical damage to plants.

Practical examples

Hardware keylogger in the meeting room. In a company, a small hardware keylogger is installed between the keyboard and the presentation computer in a meeting room. Every employee who logs in at the computer unknowingly reveals their credentials. The attacker regularly collects the devices and uses the captured credentials to access confidential network areas.

Manipulated database procedure. An aggrieved database administrator who has been dismissed alters a stored procedure in the financial database shortly before his last day of work. The change causes rounding differences to be mis-posted systematically at certain month-end closings. The error only surfaces at the annual audit — months after the employee’s departure.

Firmware backdoor in network devices. A company buys cheap network switches through a reseller. The devices work flawlessly but contain modified firmware that sends a copy of every configuration change to an external server. The backdoor is only discovered when a security audit notices the unusual outbound traffic.

Relevant controls

The following ISO 27001 controls mitigate this threat. (You’ll find the complete list of 29 mapped controls below in the section “ISO 27001 Controls Covering This Threat”.)

Prevention:

A.7.2 — Physical entry: Prevent physical access to hardware for unauthorised persons.
A.8.2 — Privileged access rights: Restrict administrative rights to the necessary minimum.
A.8.7 — Protection against malware: Detection and blocking of manipulated software.
A.8.17 — Clock synchronisation: Correct timestamps are a prerequisite for the forensic analysis of manipulations.
A.7.13 — Equipment maintenance: Controlled maintenance processes prevent unauthorised interventions on the hardware.

Detection:

A.8.15 — Logging: Complete recording of system changes and accesses.
A.8.16 — Monitoring activities: Integrity monitoring and behaviour-based analysis detect anomalies.

Response:

A.5.24 — Information security incident management planning and preparation: Prepared response plans for the case of detected manipulations.
A.5.28 — Collection of evidence: Forensic preservation of evidence for criminal or employment-law proceedings.

BSI IT-Grundschutz

The BSI IT-Grundschutz catalogue links G 0.21 to the following modules:

OPS.1.1.7 (System management) — requirements for secure administration, including the four-eyes principle and logging.
SYS.4.3 (Embedded systems) — protection against firmware manipulation on embedded systems and IoT devices.
DER.1 (Detection of security-relevant events) — requirements for the detection of manipulations.
CON.1 (Crypto concept) — cryptographic integrity protection procedures (signatures, hashes).

Sources

BSI IT-Grundschutz: Elementary Threats, G 0.21 — original description of the elementary threat
ISO/IEC 27002:2022 Section 8.15 — implementation guidance on logging
BSI: Recommendations for the Detection of Cyber Attacks — guidance on forensic analysis

ISO 27001 Controls Covering This Threat

A.5.9 Inventory of information and other associated assets A.5.14 Information transfer A.5.15 Access control A.5.24 Information security incident management planning and preparation A.5.25 Assessment and decision on information security events A.5.28 Collection of evidence A.5.29 Information security during disruption A.6.6 Confidentiality or non-disclosure agreements A.6.7 Remote working A.7.2 Physical entry A.7.7 Clear desk and clear screen A.7.8 Equipment siting and protection A.7.9 Security of assets off-premises A.7.10 Storage media A.7.13 Equipment maintenance A.8.1 User endpoint devices A.8.2 Privileged access rights A.8.7 Protection against malware A.8.12 Data leakage prevention A.8.15 Logging A.8.16 Monitoring activities A.8.17 Clock synchronisation A.8.18 Use of privileged utility programs A.8.20 Networks security A.8.21 Security of network services A.8.23 Web filtering A.8.24 Use of cryptography A.8.27 Secure system architecture and engineering principles A.8.31 Separation of development, test and production environments

Frequently asked questions

How does hardware manipulation differ from software manipulation?

Hardware manipulation requires physical access: installation of keyloggers, replacement of components, manipulation of ATMs (skimming). Software manipulation can also be carried out remotely: backdoors, modified configurations, manipulated databases. Both forms require different protective measures — physical access controls for hardware, integrity monitoring for software.

Can firmware also be manipulated?

Yes, and it's particularly dangerous. Firmware manipulations survive operating system reinstallations and are barely detectable with standard security software. Countermeasures are secure boot, signed firmware updates and physical access control to the devices.

How do I detect that software has been manipulated?

File integrity monitoring detects unexpected changes to system and configuration files. Code signing and signatures ensure that software originates from the expected vendor. Behaviour-based analysis (EDR solutions) detects unusual actions by running programs.