Nation state behind malware attacks on European ICS systems?

News by Doug Drinkwater

Researchers at F-Secure have found that cyber-criminals are using the Havex malware family to compromise equipment made by industrial control system manufacturers in Germany, Belgium and Switzerland.

In a security advisory posted on Tuesday, the Finnish company F-Secure detailed how it has tracked Havex malware family and the group behind it for the best part of a year. Havex, as revealed by Crowdstrike in January, comprises a general purpose RAT and a server written in PHP and has previously targeted companies operating in the energy sector. It was named Havex as the name can be clearly seen in the server source code.

F-Secure first noticed that Havex took a “specific interest” in Industrial Control Systems (ICS) in the spring, and said that the group is able to compromise these systems, but hacking into the websites of ICS manufacturers and ‘trojaning' their download sites to poison legitimate software downloads. Havex RAT can also infect machines via spam email and web-based exploit kits.

The firm was able to identify the group's intentions for Havex because, when looking at the cyber-criminals' C&C servers, it found that one binary directory was left open. Amusingly, closing the directory was in a to-do list in the code itself.

F-Secure found that 88 variants of Havex RAT were used to gain access to and harvest data from networks and machines of interest, and claims that 146 C&C servers were contacted by variant – leading to the possibility of 1,500 infected IP addresses.

But researchers say that hackers aren't only compromising a system – they're also using code to harvest data from infected machines used in ICS/SCADA systems. “This indicates that the attackers are not just interested in compromising the networks of companies they are interested in, but are also motivated in having control of the ICS/SCADA systems in those organisations.”

In the open directory, F-Secure threat intelligence staff found an additional binary, with a payload to crawl a network of ICS devices. In total, the company found that three European ICS makers had been targeted in particular.

These organisations are based in Germany, Switzerland and Belgium. Two of them are suppliers of remote management software for ICs systems while the third develops “high-precision industrial cameras and related software.”

Speaking to, F-Secure Labs security advisor Sean Sullivan said that he believes that this is the work of a nation state.

“Now it looks like a nation state that has a political interest in what's going on in western Europe.

“It's a level on from Flame and Stuxnet - there doesn't seem to be a particular target.” Sullivan added that it may simply be a case of ‘what's out there' and that any useful information may be passed onto cyber offence teams “should they need it for a crisis situation.”

As an example, Sullivan said that a nation-state could compromise a bottle assembler. “You take out water supply and government gives out bottled water. But if you take our water, you have a very hard time fighting back.”

Attributing these attacks to one particular country or region is difficult and complicated, says Sullivan. Earlier attention on the group focused on the Russian language, but more recent activity suggests ‘quirks' in the English language and numerous misused words.

Sullivan adds that China is likely ruled out as the C&C server was hosted on compromised websites and blogs, and not in the country. The IP addresses don't fit the ‘pattern' of a Russian attack, leading Sullivan to speculate about cyber espionage within the EU or from the US.

In the summary, F-Secure said: “The attackers behind Havex are conducting industrial espionage using a clever method. Trojanizing ICS/SCADA software installers is an effective method in gaining access to target systems, potentially even including critical infrastructure.

“The method of using compromised servers as C&C's is typical for this group. The group doesn't always manage the C&C's in a professional manner, revealing lack of experience in operations. We managed to monitor infected computers connecting to the servers and identify victims from several industry sectors.

The additional payload used to gather details about ICS/SCADA hardware connected to infected devices shows the attackers have direct interest in controlling such environments. This is a pattern that is not commonly observed today.”

Pete Wood, CEO of First Base Technologies and a member of ISACA UK, told SC UK: “"Attacks against Industrial Control Systems appear to be increasing. The F-Secure report illustrates an escalation in both targeting and sophistication – compromising vendor download sites is a clever approach that is very likely to succeed. This report demonstrates that some ICS vendors remain unaware of the importance of protecting their websites and software distribution methods, as well as the security of their products themselves. 

"ICS end user organisations must develop processes to protect themselves from potentially infected ICS software. Downloads from vendor sites must be subject to malware analysis before files are run or installed. Failure to vet new software, from whatever source, will result in more infected systems with potentially catastrophic results. ICS systems must be isolated from Internet connectivity wherever possible to minimise the opportunity for malicious remote control, and regularly inspected and tested for possible malware infection and security vulnerabilities."

With SCADA and ICS systems increasingly under attack, Sullivan concluded that governments too will have to get 'smarter' at advising companies on the threats.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews