Havex is a remote access trojan (RAT) that was discovered in 2013 as part of a widespread espionage campaign targeting industrial control systems (ICS) used across numerous industries and attributed to a hacking group referred to as "Dragonfly" and "Energetic Bear". In 2014, cybersecurity firm CrowdStrike assessed that Energetic Bear was linked to Russian Intelligence Services (RIS), and the Havex malware and Dragonfly/Energetic Bear group identifiers were later named in the December 29, 2016 GRIZZLY STEPPE Joint Analysis Report published by the FBI and DHS, publicly attributing various activities to RIS.

According to the cybersecurity company Dragos Inc., Havex is estimated to have impacted as many as 2,000 infrastructure sites, a majority of which were located in Europe and the United States. Within the energy sector, Havex specifically targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and industrial equipment providers. Havex also impacted organizations in the aviation, defense, pharmaceutical, and petrochemical industries.

According to the SANS Institute, the Havex campaign began in 2010 and involved three phases of delivery. The first phase involved spear-phishing efforts used to infect victim computers and collect information on the targets. Havex was also delivered via watering hole attacks, in which targeted users who visited legitimate websites – commonly visited by industry experts – were redirected to servers that contained software infected by Havex. Later in the campaign, a third phase involved the compromise of legitimate applications on vendor websites, from which victims would download the Havex-infected software.

Once installed, Havex scanned the infected system to locate any Supervisory Control and Data Acquisition (SCADA) or ICS devices on the network and sent the data back to command and control servers. To do so, the malware leveraged the Open Platform Communications (OPC) standard, which is a universal communication protocol used by ICS components across many industries that facilitates open connectivity and vendor equipment interoperability. Havex used the Distributed Component Object Model (DCOM) to connect to OPC servers inside of an ICS network and collect information such as CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth.

Similar to BlackEnergy, Havex was an intelligence-collection tool used for espionage and not for the disruption or destruction of industrial systems. However, the data collected by Havex would have aided efforts to design and develop attacks against specific targets or industries.

Indicators of Compromise (IOCs)

IOCs were included in the initial Symantec and F-Secure reports published in 2014.

Reporting

• December 2016: GRIZZLY STEPPE – Russian Malicious Cyber Activity (DHS/FBI)
• January 2016: The Impact of Dragonfly Malware on Industrial Control Systems (SANS)
• 2015: The Role of Malware in Reported Cyber Espionage: A Review of the Impact and Mechanism (Norwegian Information Security Laboratory)
• December 2014: 64-bit Version of HAVEX Spotted (TrendMicro)
• July 2014: Why Havex Is a Game-Changing Threat to Industrial Control Systems – Part 1 (Palo Alto Networks)
• July 2014: HAVEX Targets Industrial Control Systems (TrendMicro)
• July 2014: Havex, It’s Down with OPC (FireEye)
• July 2014: ICS Focused Malware (ICS-CERT)
• June 2014: Dragonfly: Western Energy Companies Under Sabotage Threat (Symantec)
• June 2014: Havex Hunts For ICS/SCADA Systems (F-Secure)