HAVEX Targets Industrial Control Systems

Written by: Abigail Pichel

Industrial control systems (ICS)/SCADA systems have become an area of focus in the security industry due to previous high profile attacks like FLAME and Stuxnet. Despite their significance—these systems are often used to operate in important industries like transportation, energy, and water treatment plants—these are widely known to lack the proper means to secure them.

The issue of security and ICS was once again thrust into the headlines with the discovery of a campaign targeting certain companies in the energy sector. The discovery of this attack highlights the fact that ICS/SCADA systems have become a target for threat actors and the fact that these systems are insufficiently secured. In the Trend Micro paper, Who’s Really Attacking Your ICS Equipment?, researchers created a honeypot that experienced several real-world attacks from several countries with varying attack attempts. This just proves that ICS environments, especially those Internet-facing, are particularly vulnerable to attackers.

Arrival Vectors

Security researchers have noted that the attackers, collectively known either as Dragonfly or Energetic Bear, used several tactics to infiltrate their targets and gain access to these systems.

Phishing emails were sent to selected employees of the target companies. These emails contained malicious PDF attachments.

The attackers also employed a watering-hole type of attack. Certain ICS -related sites were hacked in order to compromise legitimate applications related to ICS software. These Trojanized applications were then downloaded by the targeted companies, thus compromising their systems.

Remote Access via HAVEX

The attack relied on a remote access Trojan (RAT). This malware collects information and uploads the stolen data to the command-and-control (C&C) servers. The malware collects the infected machine’s OS version, the computer name, the logged in user, list of files, and directories.

This Trojan can download and execute component files. These component files are capable of enumerating all connected network resources, such as computers or shared resources. It uses the Distributed Component Object Model (DCOM) to connect to OPC servers within the network. It enumerates the OPC servers to gather information such as the CLSID, UserType, Program ID, version support, server bandwidth, and server state.

Both the Trojan and the component files are detected as BKDR_HAVEX.A.

The Targets

Findings show that the victims were based primarily in Europe and the US.

Studying the Targets

Details of the Dragonfly attack also support findings from a Trend Micro research paper, The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your ICS Equipment. The paper mentions one trend, namely, the increase in “targeted” attacks—attacks that appear to be looking into ICS devices more closely prior to executing the attack. The fact that the Dragonfly attack employed that specific watering hole attack shows that these attackers studied their targets before crafting their malicious routines.

Protection Against Attacks

Trend Micro blocks all related threats with this campaign.

FROM THE FIELD: EXPERT INSIGHTS

“What's truly unique about this campaign is to how the attacker delivered their attacks. For this campaign, the attackers managed to compromise the ICS vendor site and replaced the legitimate software installers with the Trojanized version. The purpose of this is to gain access to the actual targets which are the industrial sectors that use Industrial Control System (ICS).” - Ronnie Giagone, Research Engineer