According to a report published by the online security firm F-Secure, the malware group behind the Havex malware plight have discovered a new way to tuck their program into software and programs used by major national infrastructure projects.
“It appears the attackers abuse vulnerabilities in the software used to run the websites to break in and replace legitimate software installers available for download to customers,” F-Secure researchers Daavid Hentunen and Antti Tikkanen wrote. “Our research uncovered three software vendor sites that were compromised in this manner. The software installers available on the sites were trojanized to include the Havex RAT. We suspect more similar cases exist but have not been identified yet.”
Besides traditional routes of infection such as loaded email attachments and phishing attempts, Havex have gotten creative with their aplomb variant by installing it inside of common pieces of software.
Programs that administrators might run with a machine on site at industrial-grade operations include remote management software, video monitoring programs, and even basic bookkeeping aids like Quicken or Excel.
Most programs designed to stop these sorts of attacks from launching aren’t capable of fully scanning every single application that runs on local machines, and in the case of the RAT Havex crew, only one small file needed to be changed in order to open up full backdoor access to anyone with the proper credentials to login from another location.
So far most of the systems which have been targeted were in Europe, however F-Secure notes they did find one example of the trojan operating at an unnamed site in California, although they refused to elaborate on exactly how far the extent of this new infection has spread since first popping up on the radar.
Unlike your usual botnet viruses or Bitcoin mining operations, illicit programs which target infrastructure projects can be especially nasty, with the capability to possibly disable hydroelectric dams, overload nuclear power plants, and even shut down extensive swaths of a country’s power grid all with the swipe of a single keystroke.
The first virus which took advantage of this loophole in the SCADA architecture was the famous Stuxnet worm, which was reportedly developed by state-sponsored engineers working out of the United States and Israel in order to put Iran’s nuclear enrichment program in jeopardy.
By bridging the air gap which is normally designed to protect these types of crucial infrastructure systems from an attack, the joint attack by both nations was successfully able to disrupt the enrichment process for Uranium-237, which can often take years running in highly controlled scenarios in order to get just right.
By subtly slowing down and speeding up the centrifuges tasked with the process, officials prevented Iran from completing their goal of nuclear independence while simultaneously making the whole thing look like an accident on behalf of the scientists working at the site itself.
“The attackers behind Havex are conducting industrial espionage using a clever method,” Tuesday’s report concluded. “Trojanizing ISC/SCADA software installers is an effective method in gaining access to target systems, potentially even including critical infrastructure.”