Havex, the main malware tool used in the Energetic Bear, a.k.a Dragonfly, campaign has recently gained a lot of attention after the release of reports from F-secure, Symantec, and other research groups, and last week, we talked about threat mitigation and technical tips from Palo Alto Networks.
These reports and prior intelligence suggest that this campaign and its variants have been active since at least 2011, so what’s the big deal with its latest manifestation? If you pay attention to how the worm has evolved to target ICS (Industrial Control Systems) specifically, you’ll understand why such a high level of attention is warranted.
The Game Has Changed
Stuxnet was groundbreaking as the first publicly disclosed APT (Advanced Persistent Threat) specifically targeting ICS. It implemented a variety of advanced attack techniques, but recall that it uniquely exploited a vulnerability in the Siemens WinCC software package used for controlling PLCs.
Fast forward to today, to the new Havex RAT (remote access Trojan) variant which exhibits several disconcerting innovations to APTs targeting ICS. First, it is trojanized via ICS software upgrades that are downloaded from infected vendor websites. Second, it can use ICS protocol, OPC, for at least reconnaissance and data exfiltration, and possibly for reprogramming and supervisory control.
Prior Havex RAT variants utilized spear-phishing and watering hole attacks. Now, the worm is capable of hiding inside ICS software, downloadable by users from the compromised vendors website. Several reports suggest that the affected software vendors, all based out of Europe, were smaller outfits and hence the breadth of exposure was assumedly small. So far none of the bigger names appear to have been hit -- there would be a lot more attention on Havex if that were the case -- but whether a small or large vendor, asset owners now have to more closely scrutinize the integrity of the sites from where they are pulling their software upgrades, and the software packages themselves.
Perhaps more importantly, the Havex RAT has built-in capability to use the industrial control protocol, OPC, as a means for collecting information on OPC servers. To my knowledge, there has not been any publicly disclosed APT that employed OPC, or any ICS protocol for that matter. The choice is a suitable one, in that OPC is a client-server protocol that acts basically as a shim layer to allow multiple vendor products to interoperate. It appears that the developers of the latest Havex RAT wanted to create malware that could be used across multiple ICS environments, at least in those that implement OPC servers.
With the ability to communicate with OPC servers, attackers could potentially steal intellectual property and/or to learn more about the network to plan the next “pivot.” So far, analysis from ICS-CERT has not shown the worm to use OPC for control functionality, but there’s no reason to think it isn’t possible. Furthermore, poorly programmed OPC servers have been known to be subject to accidental crashing by users. It might not be too long before attackers learn how to do this on purpose as part of the malware.
We’re learning more about the latest Havex RAT every day. So far its impact seems to be contained, and the attacks may very well have been targeted to a specific customer, or customers of the affected vendors. Nevertheless this was a successful proof of concept for more broadly applicable ICS attack vectors, and likely to be a precursor for more advanced control systems-focused APTs to come.
In part 2 of this blog, we will discuss specific good practices and technologies that you can use to reduce your ICS attack footprint and to increase your defenses against advanced cyberthreats such as Havex.