Havex

Threat Actor updated 2 months ago (2024-07-23T11:17:37.008Z)

Download STIX

Preview STIX

Havex, also known as Dragonfly or the Energetic Bear RAT, is a prominent threat actor in the cybersecurity landscape. First spotted in 2013, Havex was part of a broad industrial espionage campaign that specifically targeted Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) environments, primarily in Europe. The threat actors behind Havex employed a variety of infection techniques, including phishing emails and compromising ICS equipment vendor websites. They replaced legitimate software updates with malicious versions, infecting victims who downloaded these Trojan-ized updates. This allowed the threat actors to remotely access infected networks and harvest data from compromised machines. The IRON LIBERTY threat group notably used Havex, along with custom malware like Sysmain and xFrost (now Karagany), for their operations prior to 2014. A comparison between Heriplor and an IRON LIBERTY Havex second-stage malware sample from 2014 revealed identical file writing and shared command and control (C2) servers, suggesting that Heriplor was developed from the Havex code base. However, CTU researchers found no evidence that other threat actors have utilized Havex or Heriplor, indicating its unique association with specific threat groups. Havex joins the ranks of a few ICS-specific malware variants like EKANS and CRASHOVERRIDE, which contain explicit references to industrial processes. Among these, Stuxnet and Industroyer/CrashOverride are well-known examples that were used in significant cyberattacks on Iran's Uranium enrichment facility and Ukraine's power grid, respectively. In 2014, Havex was hidden in IT product downloads and used to breach IT/OT firewalls, gathering intelligence from OT networks. UNC2447, another threat actor, has been observed using 'Havex' Malleable profiles during the initial stages of intrusion for persistence and communication with C2 servers over HTTPS.

Description last updated: 2024-07-23T11:16:25.527Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Dragonfly	2	Dragonfly is a notable threat actor known for its malicious activities in the cybersecurity landscape. This group has been particularly active in targeting the energy sector across various countries, including the United States, Switzerland, and Turkey. The tactics employed by Dragonfly often involv

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Ics

Ransomware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Stuxnet	Unspecified	2	Stuxnet, discovered in 2010, is one of the most notorious malware attacks in history, primarily targeting Windows systems, programming logic controllers (PLCs), and supervisory controls and data acquisition (SCADA) systems. The military-grade cyberweapon was co-developed by the United States and Isr
Crashoverride	Unspecified	2	CrashOverride, also known as Industroyer, is a notorious malware that was leveraged in 2016 to disrupt Ukraine's power grid at the transmission substation level. This malicious software, believed to be state-sponsored by Russia, manipulated Industrial Control Systems (ICS) equipment through the abus

Source Document References

Information about the Havex Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	2 months ago	Novel ICS Malware Sabotaged Water-Heating Services in Ukraine
DARKReading	a year ago	A Brief History of ICS-Tailored Attacks
MITRE	2 years ago	Endpoint Protection - Symantec Enterprise
CERT-EU	a year ago	Battling malware in the industrial supply chain - Cybersecurity Insiders
CERT-EU	a year ago	Cyberattacks on OT, ICS Lay Groundwork for Kinetic Warfare
MITRE	2 years ago	EKANS Ransomware and ICS Operations \| Dragos Dragos
MITRE	2 years ago	UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat \| Mandiant
CERT-EU	2 years ago	2022 a breakthrough year for malware targeting critical infrastructure
MITRE	2 years ago	Resurgent Iron Liberty Targeting Energy Sector
MITRE	2 years ago	Four Russian Government Employees Charged in Two Historical Hacking