In a LinkedIn® discussion
about yesterday’s
post on the latest Havex ICS-CERT update, Kandy Zabka pointed me at an
interesting discussion about the Havex RAT in a
report from CrowdStrike.com. There is no date on this document but it is a ‘year
in review’ type report for 2013, so I would suspect that it was probably posted
in January or February.
The discussion is found on pages 16 thru 18 in their report
about activities by the group ‘Energetic Bear’. It notes that the Havex RAT and
the closely related SysMain Rat have been in operation since 2011.
There is no specific mention of the OPC related interest reported by
F-Secure, but it does list the energy sector as a primary target with
secondary targets including US healthcare providers and European precision
machine tool manufacturers.
The most interesting part of the discussion is their
assessment that the group responsible has Russian connections. The evidence
presented in the report is weak on detail, but that is not unexpected in a
year-end-summary type report. ICS-CERT would not be expected to address this
issue publicly or even on the US-CERT secure portal, but it is something worthy
of investigation by NSA (this is the type thing that they should be working on).
As with the Stuxnet discovery, this continues to get more
and more interesting as we proceed to find out more about Havex. I have a
feeling that this discussion is going to continue for a while.
Posts
No comments:
Post a Comment