14 DAY TRIAL // Cyber-espionage is nothing new in the security industry, which witnessed intensified efforts from state-sponsored groups to increase the complexity of the malicious software used in campaigns and to leverage new attack vectors.
In recent reports, security researchers have revealed a new infiltration method for malware used in government-controlled espionage operations; Havex RAT has been discovered to infiltrate sensitive infrastructures into the energy sector through updates for industrial control systems (ICS) software, delivered by the vendors themselves.
The attackers, known in the security industry as Energetic Bear (CrowdStrike) or Dragonfly (Symantec) group and believed to be state-sponsored, have compromised the websites of a few ICS software vendors and trojanized the legitimate software they made available.
Clients relying on the software to manage and control their systems would download and install the tampered piece, giving the group access to inside information on the network.
Security researchers are not at their first encounter with the activities of this group. CrowdStrike, who links it to the Russian government, has been aware of its existence and has been tracking its intelligence collecting operations since 2012, but they noted a shift towards targets in the energy sector in 2013.
Symantec has also known about the group and said that it appears to be in operation since at least 2011. At the beginning, it targeted defense and aviation companies, and then it took aim at U.S. and European energy firms, in early 2013.
At the beginning of the week, the U.S. Department of Homeland Security (DHS) released a new advisory from the ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) for critical infrastructure operators to check their networks for Havex malware infections that target players in the energy sector.
It may appear that the U.S. energy sector is in the cross-hair of Energetic Bear/Dragonfly group, and without any additional official information on the breadth of the espionage operation, it is easy to come to the conclusion that Russia snoops in the sensitive infrastructure of the U.S.
Reports from security researchers on the newest Havex attacks attributed to the group also seem to confirm that they’re targeting energy suppliers, although it appears that most of the victims are located in Europe.
F-Secure identified three companies whose ICS programs have been trojanized, based in Germany, Switzerland and Belgium. Symantec’s own findings also give three compromised software vendors and name Europe as the most affected region by the new form of attack.
Victims in the U.S. have been detected as well, but these could be considered collateral damage because, according to Symantec, “many of these computers were likely infected either through watering hole attacks or update hijacks and are of no interest to the attacker.”
Spain, France, Italy, Germany, Turkey, Poland, Romania and Serbia are the non-U.S. nations with the most active infections. Despite the large list, the group may have actually had only one target and launched a broader attack in order to hide its true intentions.
Supporting the theory that the energy networks in the U.S. were not necessarily on the list of the Dragonfly/Energetic Bear group, are findings from Digital Bond security assessment company, which managed to discover the three compromised ICS program vendors and named two of them.
One of them is MB Connect Line in Germany. Digital Bond says that “the impact to the critical infrastructure of this company distributing malware along with their software would be minimal in Europe, and minuscule in the US,” because they are very small at the moment.
The other company named is eWON in Belgium, which would also have a minimal impact to the U.S. energy sector because its market is in Europe.
As far as the third compromised company is concerned, Digital Bond could not release the name, but said that it “would have a smaller impact on energy sector than eWON or MB Connect Line.”
Information about the energy grid, along with the ability to affect it in anyway, represents an important advantage if a conflict – political, economic, or otherwise – occurs.
Adam Kujawa, head of Malware Intelligence at Malwarebytes, sees some silver lining as far as Havex is concerned, because it is not as stealthy as other cyber-espionage malware are, such as Flame, for instance.
On the other hand, it can persist on the system for a longer period of time because mainstream antivirus products cannot detect it until a sample is obtained, given that it is custom made and is not advertised anywhere on the web.
“The real threat associated with these attacks isn’t so much the malware but rather the infection vectors. An attacker who is cunning enough and resourceful enough to make numerous different attempts at infecting individual targets is likely to reach users in places they would least expect,” Kujawa told us via email.
Despite recent findings that Havex has been used to attack energy-sensitive sectors, this does not mean that it is not employed in other campaigns, against various entities. As Costin Raiu, Director of the Global Research and Analysis Team at Kaspersky pointed out, “the largest amount of the victims Kaspersky Lab identified fall into the industrial/machinery building sector, indicating this is of special interest.
“Among other victims were research universities, pharmaceutical and construction companies, mechanical and information technologies, and a variety of other technical providers.”
This means that Havex is still very likely to steal headlines regarding espionage operations in other sectors until the activity of the group behind it dies down.