Havex aka Dragonfly

Havex, aka Dragonfly, is a Remote Access Trojan (RAT) that surfaced as early as September 2013 and appears to be related to the attack group Energetic Bear, whose activities were seen in August 2012 in the energy sector. Havex’s early targets appear to be European companies and educational institutions. These targets are not directly ICS vendors, and the relation to ICS is unclear, but ICS-CERT, F-Secure, Symantec, Kaspersky, and others are tracking such attacks. At the moment, Havex appears only to retrieve structural intelligence about its targets, possibly in advance of future attacks. Havex uses compromised web sites (samples here) to induce users to download software that is infected with Havex (a watering hole attack).

Havex has dozens of variants and uses multiple methods for penetration: phishing, watering hole, etc., and F-Secure has already identified many (146 so far) command and control servers for these variants.

The total number of variants, attack vectors, C&C servers, and years in service is scary. A great deal of data has been collected across multiple industries. It feels to me like a nation-state preparing for cyberattacks (plural).


Tags: , , , , , , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: