MB Connect Line
MB Connect Line installer distributed Havex.
As part of the DragonFly/Energetic Bear campaign, MB Connect Line, a German vendor of industrial routers and remote access solutions, had a software installer on their website trojanized with the Havex Remote Access Trojan (RAT). This allowed attackers to gain a foothold in networks of organizations that downloaded and installed the compromised software. This record tracks the MB Connect Line product scope specifically; related Havex vendor compromises are tracked separately.
- Date
- 2013-01-01 to 2014-06-01
- Category
- Commercial
- Target Surface
- Distribution
- Insertion Phase
- distribution
- Impact
- Backdoor
- Cause
- Website compromise
What Was Affected
Package
MB Connect Line
LanguageC++
ComponentApplication
Artifact typebinary archive
Domain typeproject download host
Domain
mbconnectline.com
Compromised Versions
- Specific software installers available for download from their website during the compromise period.
Incident Context
- Motive
- Espionage
- Attribution
- Nation-state
- Transitive
- No
- Observed Duration
- 516 days
Evidence
Compromised Artifacts
- Trojanized MB Connect Line software installer (e.g., for mbCHECK, mbCONF), downloaded from mbconnectline.com during 2013-2014.
Current Artifacts and Analysis
- web.archive.org/web/20190717022917/https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dragonfly-threat-against-energy-sector-systems.pdf
- cisa.gov/news-events/ics-alerts/ics-alert-14-176-02a
- f-secure.com/documents/996508/1030745/Threat_Intelligence_Report_Havex_an_Energetic_Bear_Targets_ICS_SCADA.pdf
- virustotal.com/gui/file/09a35ac2f7f9ca156c3a2ab2466c029976535390099101632e904a7ca3f6764d
Indicators and Changes
Hashes
sha256:09a35ac2f7f9ca156c3a2ab2466c029976535390099101632e904a7ca3f6764dsha256:4a1a783a11c1a2a9d5915717b16ebb5012c685f4457a08246666d7d2f7dcb238md5:f691c8f16e290f829710ff0a18ff2532
External References
Source Data
Source record: proprietary/mb_connect/meta.yaml