Havex Compromise of ICS operators across Europe and the US
| Incident Impacts | Data Theft, Pre-Positioning and Reconnaissance |
|---|---|
| Affected Sector | Energy |
| Associated Intrusion Sets | Dragonfly |
The Havex malware, also known as "Dragonfly," was used in an extensive espionage campaign primarily against energy, aviation, pharmaceutical, defense, and petrochemical sectors in the United States and Europe. The campaign is estimated to have targeted over 2,000 sites in these regions.
Havex was distributed by hacking into the websites of industrial control system (ICS) manufacturers and replacing their legitimate software downloads with trojanized versions. This remote access trojan (RAT) collects data from supervisory control and data acquisition (SCADA) systems and industrial control systems (ICS).
The attackers used a technique known as "watering hole" attacks, where they infected websites that their targets were likely to visit. Three ICS vendor websites were compromised in Germany, Switzerland, and Belgium, with the attackers replacing the legitimate software installers hosted on these sites with ones that had been trojanized to deliver the Havex RAT.
In addition to the watering hole attacks, spam and exploit kits were also used to deliver the malware. Havex makes use of an industrial standards specification, OLE for Process Control (OPC), which allows Windows applications to interact with process control hardware.
The Havex malware was used as a tool for intelligence gathering. It did not attempt to control the connected hardware but gathered details about these devices and sent them back to the command-and-control server for the attackers to analyze. The intelligence collected could then have been used to design more targeted attacks.
Cyber Threat Graph Context
Explore how this cyber incident relates to the wider threat graph
Havex Compromise of ICS operators across Europe and the US Threat Reports
Dragonfly: Cyberespionage Attacks Against Energy Suppliers
This report by Symantec details activities of the cyberespionage group known as Dragonfly. The reporting covers a campaign which initially focused ...