Hackers used watering hole attacks, compromising the websites of software vendors, to lay their trap.
Hackers used watering hole attacks, compromising the websites of software vendors, to lay their trap.

“Havex,” malware previously targeting organizations in the energy sector, has recently been used to carry out industrial espionage against a number of companies in Europe, a security company revealed.

Finnish antivirus firm F-Secure found that among the victims, were two major educational organizations in France, as well as an industrial machine producer in the country, and two German manufacturers of industrial applications and machines.

In a Monday blog post, the company also said that one firm in California was targeted by Havex, a RAT (remote access trojan) that collects data from supervisory control and data acquisition (SCADA) systems and industrial control systems (ICS).

Throughout this spring, F-Secure detected 88 variants of the malware, which had been used to “gain access to, and harvest data from, networks and machines of interest,” the blog post said.

To get a foothold in targeted organizations, Havex attackers used watering hole tactics, where hackers draw numerous victims to one destination, like an infected website, to maximize their impact.

In this incident, three ICS vendor websites were compromised, so miscreants could “replace" legitimate software installers hosted on sites with ones that had been trojanized to deliver the Havex RAT, F-Secure said. The software vendor sites belonged to companies in Germany, Switzerland and Belgium.

In addition to the watering hole attacks, spam and exploit kits were leveraged by attackers to deliver the malware. Of note, Havex makes use of an industrial standards specification, OLE for Process Control (OPC), which allows Windows applications to interact with process control hardware, F-Secure revealed.

“Using OPC, the malware component gathers any details about connected devices and sends them back to the [command-and-control server] for the attackers to analyze,” the blog post said. “It appears that this component is used as a tool for intelligence gathering. So far, we have not seen any payloads that attempt to control the connected hardware.”

In Wednesday email correspondence with SCMagazine.com, Sean Sullivan, security advisor at F-Secure, said that using Havex would be the “first step which needs to be taken” if an attacker were to design malware with the purpose of infecting industrial control systems.

“You can't know what's worth developing an attack for without first finding out what and where the potential targets exist,” Sullivan wrote. “You don't actually need to infect the ICS if you control the computer controlling the ICSs. Stuxnet, for example, is a very special case because it was targeting an air gapped system. It needed to do its job on the SCADA. But in this case, and in future potential cyber-conflicts, the actors don't actually need to compromise the ICS devices themselves, if they control the controller – which is connected to the internet," Sullivan said.

This spring, F-Secure found that the 88 variants of Havex it analyzed had contacted 146 command-and-control servers.