In a LinkedIn® discussion about yesterday’s post on the latest Havex ICS-CERT update, Kandy Zabka pointed me at an interesting discussion about the Havex RAT in a report from CrowdStrike.com. There is no date on this document but it is a ‘year in review’ type report for 2013, so I would suspect that it was probably posted in January or February.
The discussion is found on pages 16 thru 18 in their report about activities by the group ‘Energetic Bear’. It notes that the Havex RAT and the closely related SysMain Rat have been in operation since 2011.
There is no specific mention of the OPC related interest reported by F-Secure, but it does list the energy sector as a primary target with secondary targets including US healthcare providers and European precision machine tool manufacturers.
The most interesting part of the discussion is their assessment that the group responsible has Russian connections. The evidence presented in the report is weak on detail, but that is not unexpected in a year-end-summary type report. ICS-CERT would not be expected to address this issue publicly or even on the US-CERT secure portal, but it is something worthy of investigation by NSA (this is the type thing that they should be working on).
As with the Stuxnet discovery, this continues to get more and more interesting as we proceed to find out more about Havex. I have a feeling that this discussion is going to continue for a while.