In a previous episode of The Sentryo Files, we talked about a cyberattack on a Soviet oil pipeline at the end of the Cold War… Today find out about the massive espionage campaign waged on companies in the energy sector by the Havex malware in 2013 and 2014.
Over 1000 companies in the energy sector fall victim to the Havex malware
Particularly sophisticated, the attack was led by a group of hackers known by the names Dragonfly or Energetic Bear. This group was also credited with leading several other APT-type campaigns (Advanced Persistent Threat). For Havex, the attackers used different attack strategies (phishing, compromise of websites and infection of software updates) to penetrate the internal networks of energy-sector companies and steal data.
How Dragonfly infected the SCADA systems of the energy sector
According to various cybersecurity experts, the Havex attack was meticulously prepared. With a high degree of complexity, the cyberattack led in 2013/2014 combined 3 different vectors of compromise to infect the internal networks of over 1000 companies in the energy sector.
First stage: spear phishing
Between February and June 2013, the hackers sent emails containing an infected PDF file to high-level executives in the energy sector. Far from traditional spam campaigns, these emails were carefully drafted and personalized for heightened credibility. Opening the attachment introduced a malware into the internal networks.
Second stage: watering hole attack
Between May 2013 and April 2014, the group of hackers launched the 2nd stage of the attack which consisted of compromising websites linked to energy. This watering hole attack seized legitimate websites in order to infect the computers of users. With exploit kits known by the names of LightsOut and Hello, the hackers redirected internet users to malicious websites where their IT systems were infected with a Remote Access Tool (RAT) designed to open a backdoor on the network.
Third stage: infection of SCADA
The hackers also infected SCADA software updates supplied by 3 providers located in Germany, Switzerland and Belgium. The attackers managed to modify the websites of these software providers so that their industrial customers would download and introduce Havex into the ICS during their software updates. According to the providers, the malware was available on their official websites for 10 days to 6 weeks before being detected and removed. During this large period of time, many customers and industrial companies could have been contaminated. It is very difficult to assess the scope of contamination.
Consequences of the Havex infection for industries
Regardless of the contamination vector used, the hackers were able to remotely monitor the industrial systems infected during the attack thanks to the Karagany Trojan horse and the Oldrea backdoor. By scanning the local networks and detecting devices using the OPC (Open Platform Communication) industrial protocol, the hackers were able to collect information on industrial devices and send it to a command and control server (C&C) for analysis.The lessons to be learned from this cyberattack against industrial systems
This incident in the energy production sector shows us once again that users of industrial systems must be aware of the risks of contamination of their networks through phishing (sending infected emails with contaminated attachments). It also reminds us that software updates can be contaminated even if they come directly from the software developers.
To protect yourself from a malicious attack like Havex in the industrial sector, various preventive measures need to be considered:
- Build awareness among employees of IT security best practices and teach them how to spot suspicious emails to avoid the spread of malicious programs via phishing
- Install a solution to detect changes in computer configurations in order to spot security flaws such as Trojan horses or backdoors
- Implement a process for the analysis of software updates to ensure they do not contain malicious programs
Note: During this campaign, different vulnerabilities affecting some older versions of Windows were used. The latest version of ICS CyberVision detects the network machines using these obsolete versions and displays the vulnerabilities associated with these incompatible versions.
The cyberattack carried out by the Dragonfly group must be a reminder to directors of strategic infrastructures of the obvious target ICS and SCADA systems represent. As for the Havex malware, based on the data stolen, we cannot rule out the possibility that the attackers’ initial aim was to carry out industrial sabotage. The heads of industrial security systems must implement all the cybersurveillance measures they have available to ensure the protection of sensitive equipment, especially in the energy sector, by equipping themselves with a tailored cybersecurity solution.