Havex

Threat Actor Profile Updated 25 days ago
Download STIX
Preview STIX
Havex, also known as Dragonfly or the Energetic Bear RAT, is a prominent threat actor in the cybersecurity landscape. Spotted initially in 2013, Havex was part of a broad industrial espionage campaign. The threat actors behind Havex utilized various techniques to infect their targets, including phishing emails and compromising Industrial Control Systems (ICS) equipment vendors' websites. By replacing legitimate software updates with malicious versions, they infected victims who downloaded these Trojan-ized updates. This allowed them to access infected networks remotely and harvest data from infected machines. In 2014, Havex took a notable turn by hiding in IT product downloads and breaching IT/OT firewalls, gathering intelligence from OT networks. This marked Havex's entry into a small group of ICS-specific malware variants that include EKANS, CRASHOVERRIDE, and others. Havex shares a similar code base with Heriplor, as evidenced by CTU researchers' comparison of a Havex second-stage malware sample from 2014 and Heriplor. Both samples wrote identical files and shared a Command and Control (C2) server. Despite its significant impact, there is no evidence that other threat actors have used Havex or Heriplor, suggesting that the use of Havex remains exclusive to its original threat actors. However, it has been observed that UNC2447 uses the Cobalt Strike BEACON HTTPSSTAGER implant for persistence to communicate with C2 servers over HTTPS and has used 'Havex' Malleable profiles. Havex continues to be a concern due to its potential to disrupt critical infrastructure, and it serves as a reminder of the evolving nature of threats in the cyber landscape.
What's your take? (Question 1 of 4)
e7fd6fed-7d94-4123-b2c3-85c20643eebb Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Dragonfly
2
Dragonfly is a notable threat actor known for its malicious activities in the cybersecurity landscape. This group has been particularly active in targeting the energy sector across various countries, including the United States, Switzerland, and Turkey. The tactics employed by Dragonfly often involv
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ics
Ransomware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CrashoverrideUnspecified
2
CrashOverride, also known as Industroyer, is a notorious malware that was leveraged in 2016 to disrupt Ukraine's power grid at the transmission substation level. This malicious software, believed to be state-sponsored by Russia, manipulated Industrial Control Systems (ICS) equipment through the abus
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Havex Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Resurgent Iron Liberty Targeting Energy Sector
DARKReading
9 months ago
A Brief History of ICS-Tailored Attacks
MITRE
a year ago
Four Russian Government Employees Charged in Two Historical Hacking
MITRE
a year ago
UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat | Mandiant
CERT-EU
a year ago
2022 a breakthrough year for malware targeting critical infrastructure
MITRE
a year ago
EKANS Ransomware and ICS Operations | Dragos Dragos
CERT-EU
a year ago
Cyberattacks on OT, ICS Lay Groundwork for Kinetic Warfare
CERT-EU
9 months ago
Battling malware in the industrial supply chain - Cybersecurity Insiders
MITRE
a year ago
Endpoint Protection - Symantec Enterprise