30 June 2014

STUXNET-LIKE ‘HAVEX’ MALWARE STRIKES EUROPEAN SCADA SYSTEMS; CAPABILITY TO POSSIBLY DISABLE HYDROELECTRIC DAMS, OVERLOAD NUCLEAR POWER PLANTS; AND, EVEN SHUT DOWN A COUNTRY’S POWER GRID

June 26, 2014 ·
Stuxnet-Like ‘Havex’ Malware Strikes European SCADA Systems

Swati Khandelwal has an article on the website The Hacker News, today, June 26, 2014, with the title above. He writes that [cyber] security researchers have uncovered a new, Stuxnet-like malware, named as ‘Havex,’ which was used in a number of previous cyber attacks against organizations in Europe — the energy sector.” “Just like the Famous Stuxnet Worm, which was specifically designed to sabotage the Iranian nuclear project, the new trojan Havex — is also programmed to infect industrial control system softwares of SCADA and ICS systems, — with the capability to possibly disable hydroelectric dams, overload nuclear power plants, and even shut down a country’s power grid –with a single keystroke.”

According to the [cyber] security firm F-Secure, who first discovered it as a Backdoor:W32/Havex.A, it is a generic remote access Trojan (RAT); and, has recently been used to carry out industrial espionage against a number of companies in Europe — that use or develop industrial applications and machines,” wrote Mr. Khandelwal.

Smarty Pants, Trojanized Installers

Mr. Khandelwal notes that “in order to accomplish this, besides the traditional infection methods such as explicit kits and spam emails, cyber criminals also used another effective method to spread Havex RAT, i.e., hacking the websites of software companies; and, waiting for targets to install trojanizd versions of legitimate apps.”

“During installation, the trojanized software setup drops a file called “mbcheck.dll, which is actually Havex malware, that attackers are using as a backdoor. “The C and C server will [then] instruct infected computers to download and execute further components,”

— “We gathered and analyzed 88 variants of the Havex RAT used to gain access to, and harvest data from, networks and machines of interest. This analysis included investigation of 146 command and control servers contacted by the variants, which in turn, — involved tracing around 1500 IP addresses in an attempt to identify victims,” F-Secure said.

F-Secure didn’t mention the names of the affected vendors, but an industrial machine producer and two educational organizations in France, with companies in Germany — were targeted.

Information Gathering

“Havex RAT is equipped with a new component, whose purpose is to gather network and connected devices information — by leveraging the OPC (Open Platform Communications) standard,” wrote Mr. Khandelwal. “The malware scans the local network for the devices that respond to OPC requests to gather information about industrial control devices; and, then sends that information back to its command-and-control server.”

“Other than this, it also include information-harvesting tools that gather data from the infected systems,” adds Mr. Khandelwal, such as:

— Operating system related information;

— A credential-harvesting tool that stole passwords stored on open

web browsers;

— A component that communicates to different Command-And-Control

servers using custom protocols; and, execute tertiary payloads in

memory.

“So far, we have not seen any payloads that attempts to control the connected hardware.” F-Secure confirmed.

Motivation

“While their motivation is unclear at this point, “We also identified an additional component used by the attackers that includes code to harvest data from infected machines used in ICS/SCADA systems in those organizations,” said F-Secure.

Havex Trojan From Russia?

“In January of this year, the cyber security firm CrowdStrike revealed about a cyber espionage campaign, dubbed “Energetic Bear,” where hackers possibly tied to Russian Federation penetrating the computer networks of energy companies in Europe, the United States, and Asia. According to CrowdStrike, the malwares used in those cyber attacks were Havex RAT and SYSMain RAT, and both tools have been operated by the attackers since at least 2011. That means, it is possible that Havex RAT could somehow be linked to Russian hackers; or, state-sponsored Russian Government [entities].”

Unfortunately, what originates in Russia, or anywhere else for that matter — with respect to cyber malware/viruses, etc., doesn’t stay in Russia. I would expect other cyber malcontents to deconstruct and reverse-engineer this bug in order to see if it can be made even more “lethal,” and damaging that it may already be

No comments: