The global site of the UK's leading magazine for automation, motion engineering and power transmission
18 June, 2024

Twitter link

Malware targets industrial controls and OPC servers

03 July, 2014

Cyber-security organisations have issued warnings about a malware campaign that has targeted industrial control systems (ICS) from at least three suppliers, including systems running OPC servers.

The campaign, known as Dragonfly or Energetic Bear, is thought to originate in Eastern Europe – probably Russia – and uses various techniques to infect control systems. Its origins have been traced back to 2011 or before, and the group behind it could have hacked systems at more than 1,000 organisations in more than 80 countries over the past 18 months.

Originally the group targeted defence and aerospace organisations in the US and Canada before moving on to American and European energy firms in 2013. The main purpose of the cyber-attacks appears to be industrial espionage, but the cyber-security specialist Symantec points out that if the group exploited the sabotage capabilities open to them, they could damage or disrupt control systems and energy supplies in the affected countries.

According to Symantec, Dragonfly’s most ambitious attack strategy has been to infect software from ICS equipment suppliers with a RAT (remote access type) Trojan so that when end-users download software updates from their suppliers, they unwittingly install the malware on their systems. The malware, known as Havex or Oldrea, was first found in a product used to provide VPN (virtual private network) access to PLCs. By the time the vendor discovered the attack, there had been 250 downloads of the compromised software.

Another supplier that was attacked was a European manufacturer of specialist PLCs. In this case, a software package containing a device driver was compromised and was available for download for at least six weeks in June and July 2013.

A third firm to be attacked was a European business that develops systems to manage wind turbines, biogas plants and other energy equipment. Symantec believes that the compromised software was available for download for around ten days in April 2014.

Another cyber-security specialist F-Secure says it has found and analysed 88 variants of the Havex RAT used to gain access to, and harvest data from, industrial networks and machines. It traced around 1,500 IP addresses to identify potential victims and found that the malware had contacted 146 command and control (C&C) servers. The attackers used compromised Web sites – mainly blogs – as C&C servers.

According to F-Secure, the attackers are interested not only in compromising the networks of targeted organisations, but are also motivated to control their ICS and SCADA systems. “The source of this motivation is unclear to us,” F-secure says.

F-Secure has identified three industrial control software vendors whose Web sites were broken into and legitimate software installers were trojanised to incorporate the Havex RAT. “We suspect that more similar cases exist, but have not been identified yet,” it adds.

All three compromised companies develop software and appliances for industrial applications. They are based in Germany, Switzerland and Belgium. Two of them supply remote management software for industrial control systems, while the third develops industrial cameras and software.

F-secure has also identified some of the targets of the malware attacks – all of which are associated with the development or use of industrial applications or machines. Most are located in Europe and include two German producers of industrial applications and machinery, and a machine-builder located in France.

According to a warning issued by the US Government’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), Havex uses OPC (OLE for Process Control) to gather information about connected control systems resources in a network, including OPC tags, and sends this data back to the attackers. But ICS-CERT and F-secure haven’t found any evidence so far that the RAT has attempted to control or make changes to the connected hardware.

More than half of the targets attacked by the Dragonfly group have been in Spain and the US
Source: Symantec

Havex only works with the original version of OPC – now known as OPC Classic – which was implemented using Microsoft’s CAM/DCOM technology. The latest version of OPC, called OPC Unified Architecture (UA), does not use CAM/DCOM and Havex does not appear to affect systems using this version.

According to F-Secure, the attackers behind Havex “are conducting industrial espionage using a clever method”.

“Trojanising ICS/Scada software installers is an effective method for gaining access to target systems, potentially even including critical infrastructure,” it points out.

According to Symantec, the Dragonfly group “displays all of the hallmarks of a state-sponsored operation, displaying a high degree of technical capability”. Based on the timings of the attacks, Symatec says it is likely that the attackers are based in Eastern Europe. It adds that the Havex RAT appears to be custom software, giving an indication of the capabilities and resources behind it.

“Dragonfly has targeted multiple organisations in the energy sector over a long period of time,” Symantec reports. “Its current main motive appear to be cyber-espionage, with potential for sabotage a definite secondary capability.”

ICS-CERT “strongly recommends” that organisations check their network logs for activity associated with the Dragonfly campaign. In particular, it recommends:

•  enforcing strict access control lists and authentication protocols for network-level access to OPC clients and servers;

•  considering the use of OPC tunnelling technologies to avoid exposure of any legacy DCOM-based OPC services;

•  ensuring that the HTTP server enforces proper authentication and encryption of the OPC communications for both clients and servers, when using OPC .NET-based communications; and

•  applying the OPC Security specification, where possible.

  • To view a digital copy of the latest issue of Drives & Controls, click here.

    To visit the digital library of past issues, click here

    To subscribe to the magazine, click here



"Do you think that robots create or destroy jobs?"



Most Read Articles