Havex

Threat Actor Profile Updated 4 days ago
Download STIX
Preview STIX
Havex, also known as Dragonfly or the Energetic Bear RAT, is a prominent threat actor in the cybersecurity landscape. First spotted in 2013, Havex was part of a broad industrial espionage campaign that specifically targeted Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) environments, primarily in Europe. The threat actors behind Havex employed a variety of infection techniques, including phishing emails and compromising ICS equipment vendor websites. They replaced legitimate software updates with malicious versions, infecting victims who downloaded these Trojan-ized updates. This allowed the threat actors to remotely access infected networks and harvest data from compromised machines. The IRON LIBERTY threat group notably used Havex, along with custom malware like Sysmain and xFrost (now Karagany), for their operations prior to 2014. A comparison between Heriplor and an IRON LIBERTY Havex second-stage malware sample from 2014 revealed identical file writing and shared command and control (C2) servers, suggesting that Heriplor was developed from the Havex code base. However, CTU researchers found no evidence that other threat actors have utilized Havex or Heriplor, indicating its unique association with specific threat groups. Havex joins the ranks of a few ICS-specific malware variants like EKANS and CRASHOVERRIDE, which contain explicit references to industrial processes. Among these, Stuxnet and Industroyer/CrashOverride are well-known examples that were used in significant cyberattacks on Iran's Uranium enrichment facility and Ukraine's power grid, respectively. In 2014, Havex was hidden in IT product downloads and used to breach IT/OT firewalls, gathering intelligence from OT networks. UNC2447, another threat actor, has been observed using 'Havex' Malleable profiles during the initial stages of intrusion for persistence and communication with C2 servers over HTTPS.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Dragonfly
2
Dragonfly is a notable threat actor known for its malicious activities in the cybersecurity landscape. This group has been particularly active in targeting the energy sector across various countries, including the United States, Switzerland, and Turkey. The tactics employed by Dragonfly often involv
IRON LIBERTY
1
Iron Liberty is a threat actor group that has been active since at least 2010, as per the timeline of activity observed by CTU researchers. The group specializes in cyber espionage and has been particularly focused on targeting Industrial Control Systems (ICS) companies within the energy sector. Iro
Heriplor
1
Heriplor, a notable threat actor in the cybersecurity landscape, has been associated with multiple malicious campaigns involving the use of advanced Trojans. The entity is particularly linked to the Dragonfly 2.0 campaign, where it utilized both the Heriplor and Karagany Trojans, which were also emp
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ics
Ransomware
Implant
Backdoor
Espionage
Rat
Dropper
Beacon
Phishing
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
StuxnetUnspecified
2
Stuxnet, a notorious malware discovered in 2010, is one of the most infamous Advanced Persistent Threat (APT) attacks in history. This military-grade cyberweapon was co-developed by the United States and Israel to specifically target Iran's nuclear enrichment facility at Natanz. The Stuxnet worm, a
CrashoverrideUnspecified
2
CrashOverride, also known as Industroyer, is a notorious malware that was leveraged in 2016 to disrupt Ukraine's power grid at the transmission substation level. This malicious software, believed to be state-sponsored by Russia, manipulated Industrial Control Systems (ICS) equipment through the abus
Industroyer2Unspecified
1
Industroyer2 is a sophisticated piece of malware designed to target Industrial Control Systems (ICS), developed and deployed by the Russian state-sponsored advanced persistent threat group, Sandworm. The group has been active since 2007 and used Industroyer2 in a significant attack against Ukraine's
Cobalt Strike BeaconUnspecified
1
Cobalt Strike Beacon is a type of malware known for its harmful capabilities, including stealing personal information, disrupting operations, and potentially holding data hostage for ransom. The malware has been loaded by HUI Loader through various files such as mpc.tmp, dlp.ini, vmtools.ini, and an
FIVEHANDSUnspecified
1
FiveHands, also known as HelloKitty, is a sophisticated form of malware that primarily targets financial institutions. It was first reported by Mandiant in April 2021 as part of a cyber threat posed by the UNC2447 group. The ransomware is typically delivered through Encryptor.exe, a loader that init
DEATHRANSOMUnspecified
1
DeathRansom is a form of malware, specifically ransomware, known for its damaging effects on computer systems. It operates by infiltrating systems through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or hold data hostage for ranso
HELLOKITTYUnspecified
1
HelloKitty is a malicious software (malware) that has been designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold dat
malware.binary.exeUnspecified
1
None
SombRATUnspecified
1
Sombrat is a sophisticated malware that poses a significant financial threat, as reported by Mandiant in April 2021. It operates in conjunction with FIVEHANDS Ransomware under the umbrella of UNC2447, a malicious cyber activity group. The malware infects systems through suspicious downloads, emails,
EKANSUnspecified
1
EKANS, also known as SNAKE (the word EKANS spelled backwards), is a significant strain of malware that emerged in mid-December 2019. It was one of the more concerning ransomware strains observed in 2020, accounting for 6% of all ransomware attacks monitored by IBM Security X-Force in that year. The
BlackEnergyUnspecified
1
BlackEnergy is a potent malware toolkit that has been utilized by criminal and Advanced Persistent Threat (APT) actors since 2007. Its destructive capabilities were notably demonstrated in Ukraine where it was used for cyber-espionage, compromising industrial control systems, and launching attacks a
PipedreamUnspecified
1
Pipedream, a highly sophisticated malware discovered in 2022, has been designed specifically to infiltrate and control Industrial Control Systems (ICS). Unlike previous ICS-specific malware that was limited to particular industrial segments, Pipedream exhibits versatility across various sectors. It
RyukUnspecified
1
Ryuk is a sophisticated malware, specifically a ransomware variant, that has been extensively used by cybercriminal group ITG23. The group has been employing crypting techniques for several years to obfuscate their malware, with Ryuk often seen in tandem with other malicious software such as Trickbo
Backdoor.OldreaUnspecified
1
None
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT10Unspecified
1
APT10, also known as the Menupass Team, is a threat actor believed to operate on behalf of the Chinese Ministry of State Security (MSS). The group has been active since 2009 and is suspected to be based in Tianjin, China, according to research by IntrusionTruth in 2018. APT10 has primarily targeted
SandwormUnspecified
1
Sandworm, a threat actor linked to Russia, has been implicated in numerous high-profile cyber attacks. This group's activities have primarily targeted Ukraine, compromising the country's critical infrastructure and telecommunications providers. The Sandworm group is known for its fileless attack met
Energetic BearUnspecified
1
Energetic Bear, also known as DragonFly, Crouching Yeti, and Berserk Bear, is a threat actor that has been operational since at least 2011. The group has been linked to various cyber-espionage campaigns targeting the energy sector in Europe and North America, with the primary focus on defense and av
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Iron Liberty HavexUnspecified
1
None
Source Document References
Information about the Havex Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
4 days ago
Novel ICS Malware Sabotaged Water-Heating Services in Ukraine
DARKReading
a year ago
A Brief History of ICS-Tailored Attacks
MITRE
a year ago
Endpoint Protection - Symantec Enterprise
CERT-EU
a year ago
Battling malware in the industrial supply chain - Cybersecurity Insiders
CERT-EU
a year ago
Cyberattacks on OT, ICS Lay Groundwork for Kinetic Warfare
MITRE
a year ago
EKANS Ransomware and ICS Operations | Dragos Dragos
MITRE
a year ago
UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat | Mandiant
CERT-EU
a year ago
2022 a breakthrough year for malware targeting critical infrastructure
MITRE
a year ago
Resurgent Iron Liberty Targeting Energy Sector
MITRE
a year ago
Four Russian Government Employees Charged in Two Historical Hacking