Espionage

Share

Related Stories

Top 5 Stories

News

Watering Hole Hackers Sniff Out Industrial Control Systems for Future Attack

24 June 2014

F-Secure spots Havex malware group narrowing a focus on ICS/SCADA systems

Security researchers have spotted a new attack campaign using infected ICS/SCADA manufacturer websites as part of watering hole attacks to commit commercial espionage and take over industrial control systems.
 
F-Secure has been monitoring the group behind the Havex malware family for the past year. The remote access Trojan (RAT) has been used in the past to target energy firms as part of campaigns by a group dubbed ‘Energetic Bear’ by Crowdstrike.
 
However, over the past few months F-Secure analyzed 88 Havex variants, 146 C&C servers and 1500 related IP addresses in an investigation which revealed a narrowing of focus by the group to Industrial Control Systems (ICS).
 
As well as distributing Havex through spam emails and via exploit kits, the hackers also sought to exploit vulnerabilities in the web software used to run various ICS vendor sites, replacing legitimate software installers available for download to customers with malicious versions.
 
Of the three websites discovered so far by F-Secure, two are suppliers of remote management software for ICS systems and the third produces "high-precision industrial cameras and related software".
 
“The attackers have trojanized software available for download from ICS/SCADA manufacturer websites in an attempt to infect the computers where the software is installed to,” said F-Secure in a blog post.
 
“We also identified an additional component used by the attackers that includes code to harvest data from infected machines used in ICS/SCADA systems. This indicates that the attackers are not just interested in compromising the networks of companies they are interested in, but are also motivated in having control of the ICS/SCADA systems in those organizations.”
 
The source of this motivation is still “unclear”, but all of the victims uncovered by F-Secure thus far have been involved in some way with the “development or use of industrial applications or machines”, according to the Finnish security vendor.
 
F-Secure security analyst, Sean Sullivan, told Infosecurity that the group could well be state-sponsored.
 
“It fits the pattern of a nation state doing intelligence work, getting the lay of the land, in order to find exploitable systems for future 'need',” he argued.
 
“Whatever that may be for a nation state, when tensions flare, they then have a tool to use against their opponents." 
 
This article is featured in:
Application Security  •  Business Continuity and Disaster Recovery  •  Data Loss  •  Industry News  •  Internet and Network Security  •  Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×