Since Stuxnet there have been few confirmed reports of malware targeting particular industrial control system software. But now we have a campaign using the Havex remote access Trojan that has three European energy sector vendors in its crosshairs—or does it?
The outbreak, reported by security vendors and ICS-CERT last week, for now has experts spinning up more questions than solutions to the problem. Is this campaign truly a targeted attack against these three relatively small ICS vendors, two of which have been identified, or is it a dry run for something bigger?
“[The three victims] hardly appear to be ICS companies, which is interesting. So why were they targeted?” said Dale Peterson, CEO and founder of Digital Bond. “Did [the attackers] know a certain industry sector, country or organization used those three products? Or are they just going around to prove this thing out?”
Digital Bond last week published the names of two of the three victim companies targeted by Havex: MB Connect Line of Germany, a manufacturer of wind turbines and biogas, and eWON of Belgium, which provides VPN access for programmable logic controllers. The third victim, which is identified by US-CERT and available to anyone with access to its secure portal, is a Swiss manufacturer of high precision industrial cameras.
ICS-CERT last week issued an advisory on Havex, warning that it was spreading not only via phishing and spam emails, but also through website redirects via watering hole attacks conducted against the vendor websites. Watering hole attacks exploit vulnerabilities in popular websites frequented by a campaign’s true targets, in this case customers of the respective vendors looking for updates or other resources hosted by the vendor.
In addition to Havex behaving like a traditional RAT in that it gathers system information and data stored on a compromised client or server using the Open Protocol Communications standard. OPC is a typical ICS protocol, Peterson said.
“With very few exceptions, it lacks any security,” he said. “You want it do so something, it will without authentication, source or data. OPC is interesting in that if you want to get into lots of systems, it’s a good protocol to pick. It’s like a universal translator. Lots of sites, no matter what vendor they’re using for ICS, have OPC to pass information around.”
“OPC is pervasive,” said Adam Crain of Automatak. “It is one of the most common ICS protocols. It is used as the ‘glue’ to tie systems together and translate other protocols.”
While Havex wasn’t targeting the protocol directly, it could have been gathering information for another stage of the campaign.
K. Reid Wightman, also of Digital Bond, tweeted speculatively last week that Havex’s ultimate target could be data centers.
Stupid thought: Havex could be about data centers. OPC often used for PQM and UPS monitoring/control, crosses the corporate/NMS boundary.
— K. Reid Wightman (@ReverseICS) July 3, 2014
Peterson, meanwhile said that could dampen the targeted aspect of the campaign.
“I’ve had a number of people tell me they think it’s just a proof of concept to test out the OPC portion of it, and that they picked out soft targets before putting it out to larger targets,” he said. “They could be proving out their OPC code by going out to find servers and enumerating them, wanting to makesure it’s working.
“My guess is there’s still some reason those companies were selected. I’m hoping someone, whether it’s the government or CERTs working for governments, is getting client lists from these vendors and looking for some intersections.”
Now four years removed from Stuxnet, Havex may not have the same destructive capabilities, but it bears watching.
“Keep an eye on the ICS impact of this attack,” Peterson said. “In the early days of Stuxnet, it took three or four months before we realized it was rewriting code in a PLC. As more people dig in, maybe we will find some interesting things beyond it.”