Earlier today the DHS ICS-CERT upgraded their Havex alert updated last Friday to an advisory today and included new information in the released document. They also explain some of the additional data that is available on the US-CERT secure portal.
The new information includes references to a Symantec blog post about the Dragonfly Group. Their information is very similar to the report I mentioned yesterday from CrowdStrike. The fact that the two reports agree on so many areas is a good indication that the base intellignece may be being properly interpreted.
The advisory also expands on some of the information that Havex has been searching for. ICS-CERT provides some examples of the search results found by the Trojan as it searched for OPC linkages.
The advisory also provides the following list of information that is available on the US-CERT secure portal:
• Three C2 IP addresses and 105 C2 Domains
• Eighty-seven SHA1 hashes of unique Havex Variants
• Sixteen Havex payload SHA1 and four Havex Installer SHA1 signatures and filenames
• Six Karagany filenames/MD5 hashes, 4 Karagany filenames, 2 Karagany C2 Domain IPs, and seven misc directory paths, agent strings, outbound traffic, and directories to watch.
• A STIX /TAXI file (IB-14-20124.stix.xml) containing details on the Trojan.Karagany.
It is kind of odd (from a counter-intelligence perspective) that ICS-CERT would publish this descriptive list of sensitive files that are being held on a secure server. Typically information security folks would tell ICS-CERT that the simple list above would allow the perpetrators to successfully determine how well the investigation against them is proceeding. It also explains to the Havex creators what areas of their tool suite will be less effective in the Wild.
US-CERT Secure Portal Update
I got an interesting email today from Monica Maher, the Chief of Operations at ICS-CERT about access to the control system security area within the US-CERT secure portal. She wrote:
“I wanted to let you know that about a year or so ago, we updated our policies and procedures to allow a variety of ICS stakeholders to obtain membership. Previously, we vetted asset owners and operators as well as ICS vendors into our portal. Due to feedback, we created a process to also allow ICS consultants and systems integrators into the portal.”
With this information I would like to expand my suggestion that system owners should sign-up for access to the US-CERT secure portal to include control system vendors, integrators and ICS security consultants. The more ICS security people that are involved in this information sharing, the better off the community will be.