Security researchers have spotted a new attack campaign using infected ICS/SCADA manufacturer websites as part of watering hole attacks to commit commercial espionage and take over industrial control systems.
F-Secure has been monitoring the group behind the Havex malware family for the past year. The remote access Trojan (RAT) has been used in the past to target energy firms as part of campaigns by a group dubbed ‘Energetic Bear’ by Crowdstrike.
However, over the past few months F-Secure analyzed 88 Havex variants, 146 C&C servers and 1500 related IP addresses in an investigation which revealed a narrowing of focus by the group to Industrial Control Systems (ICS).
As well as distributing Havex through spam emails and via exploit kits, the hackers also sought to exploit vulnerabilities in the web software used to run various ICS vendor sites, replacing legitimate software installers available for download to customers with malicious versions.
Of the three websites discovered so far by F-Secure, two are suppliers of remote management software for ICS systems and the third produces "high-precision industrial cameras and related software".
“The attackers have trojanized software available for download from ICS/SCADA manufacturer websites in an attempt to infect the computers where the software is installed to,” said F-Secure in a blog post.
“We also identified an additional component used by the attackers that includes code to harvest data from infected machines used in ICS/SCADA systems. This indicates that the attackers are not just interested in compromising the networks of companies they are interested in, but are also motivated in having control of the ICS/SCADA systems in those organizations.”
The source of this motivation is still “unclear”, but all of the victims uncovered by F-Secure thus far have been involved in some way with the “development or use of industrial applications or machines”, according to the Finnish security vendor.
F-Secure security analyst, Sean Sullivan, told Infosecurity that the group could well be state-sponsored.
“It fits the pattern of a nation state doing intelligence work, getting the lay of the land, in order to find exploitable systems for future 'need',” he argued.
“Whatever that may be for a nation state, when tensions flare, they then have a tool to use against their opponents."