Security researchers have uncovered a series of Trojan-based attacks which have infiltrated several targets by infecting industrial control system software from the makers of SCADA and ICS systems.
majority of the victims are located in Europe, though at the time of
writing at least one US firm's compromised gear appears to be phoning
home to botnet control servers set up by the attackers.
Two of the European victims are major educational institutions in
France known for technology-related research; two are German industrial
application or machine producers; one is a French industrial machine
producer; and one is a Russian construction firm.
The motive for the attacks - much less the identity of its perpetrators - remains unclear.
attacks, which began earlier this year, were pulled off used the Havex
general purpose Remote Access Trojan (RAT) and a server running PHP.
attackers have [made] Trojanised software available for download from
ICS/SCADA manufacturer websites in an attempt to infect the computers
where the software is installed", Finnish security software firm
"We gathered and analysed 88 variants of the
Havex RAT used to gain access to, and harvest data from, networks and
machines of interest. This analysis included investigation of 146
command and control (C&C) servers contacted by the variants, which
in turn involved tracing around 1,500 IP addresses in an attempt to
Elements of the malicious code are designed to
"harvest data" from infected machines used in ICS/SCADA systems.
F-Secure reasons that this means the unknown attackers are taking steps
to give them control of the ICS/SCADA systems in various organisations,
rather than just using vulnerable control system set-ups as a means to
infiltrate corporate networks. If successful the attack establishes a
backdoor on compromised networks that can easily be used to push
secondary samples of malicious code.
The miscreants behind the attack are using third-party compromised websites, mainly blogs, as command and control servers.
Havex RAT at the centre of the assault is distributed through either
spam emails, exploit kits or (much more unusually) trojan-laden
installers planted on compromised vendor sites.
"It appears the
attackers abuse vulnerabilities in the software used to run the websites
to break in and replace legitimate software installers available for
download to customers," F-Secure's researchers Daavid Hentunen and Antti
Tikkanen explain in a blog post.
has uncovered three software vendor sites that were hacked to act as a
conduit for malware distribution. All three unnamed companies in
Germany, Switzerland and Belgium are involved in development of
applications and appliances for use in industrial applications. Two of
firms supply remote management software for industrial control systems
while the third develops high-precision industrial cameras and related
software. Other firms might easily have been hit by they same attack.
attackers behind Havex are conducting industrial espionage using a
clever method. Trojanising ICS/SCADA software installers is an effective
method in gaining access to target systems, potentially even including
critical infrastructure," F-Secure says.
"The method of using
compromised servers as C&C's is typical for this group,” F-Secure
continues. “The group doesn't always manage the C&C's in a
professional manner, revealing lack of experience in operations. We
managed to monitor infected computers connecting to the servers and
identify victims from several industry sectors.”
payload used to gather details about ICS/SCADA hardware connected to
infected devices shows the attackers have direct interest in controlling
such environments," it added.