Havex

Threat Actor updated a month ago (2024-11-29T14:01:17.976Z)
Download STIX
Preview STIX
Havex, also known as Dragonfly or the Energetic Bear RAT, is a prominent threat actor in the cybersecurity landscape. First spotted in 2013, Havex was part of a broad industrial espionage campaign that specifically targeted Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) environments, primarily in Europe. The threat actors behind Havex employed a variety of infection techniques, including phishing emails and compromising ICS equipment vendor websites. They replaced legitimate software updates with malicious versions, infecting victims who downloaded these Trojan-ized updates. This allowed the threat actors to remotely access infected networks and harvest data from compromised machines. The IRON LIBERTY threat group notably used Havex, along with custom malware like Sysmain and xFrost (now Karagany), for their operations prior to 2014. A comparison between Heriplor and an IRON LIBERTY Havex second-stage malware sample from 2014 revealed identical file writing and shared command and control (C2) servers, suggesting that Heriplor was developed from the Havex code base. However, CTU researchers found no evidence that other threat actors have utilized Havex or Heriplor, indicating its unique association with specific threat groups. Havex joins the ranks of a few ICS-specific malware variants like EKANS and CRASHOVERRIDE, which contain explicit references to industrial processes. Among these, Stuxnet and Industroyer/CrashOverride are well-known examples that were used in significant cyberattacks on Iran's Uranium enrichment facility and Ukraine's power grid, respectively. In 2014, Havex was hidden in IT product downloads and used to breach IT/OT firewalls, gathering intelligence from OT networks. UNC2447, another threat actor, has been observed using 'Havex' Malleable profiles during the initial stages of intrusion for persistence and communication with C2 servers over HTTPS.
Description last updated: 2024-07-23T11:16:25.527Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Dragonfly is a possible alias for Havex. Dragonfly is a notable threat actor known for its malicious activities in the cybersecurity landscape. This group has been particularly active in targeting the energy sector across various countries, including the United States, Switzerland, and Turkey. The tactics employed by Dragonfly often involv
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ics
Ransomware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Stuxnet Malware is associated with Havex. Stuxnet, discovered in 2010, is one of the most infamous malware attacks in history. It was a military-grade cyberweapon co-developed by the United States and Israel, specifically targeting Iran's nuclear enrichment facility at Natanz. The Stuxnet worm infiltrated Windows systems, programming logic Unspecified
2
The Crashoverride Malware is associated with Havex. CrashOverride, also known as Industroyer, is a notorious malware that was leveraged in 2016 to disrupt Ukraine's power grid at the transmission substation level. This malicious software, believed to be state-sponsored by Russia, manipulated Industrial Control Systems (ICS) equipment through the abusUnspecified
2