Proprietary 2013-06-01 · 60 days ·Backdoor, Data Theft, Remote Access

MESA Imaging software delivered Havex

Part of the Dragonfly Havex ICS vendor compromises campaign

MESA Imaging, a Swiss developer of 3D Time-of-Flight (ToF) cameras and related software used in industrial applications, was another vendor whose website was compromised during the Dragonfly/Havex campaign.

Story

Havex was not dropped only by phishing mail or drive-by compromise. Dragonfly also turned official industrial software distribution into a delivery system. By compromising ICS and SCADA vendors, the operators made trusted downloads carry the first stage of an intrusion.

MESA Imaging was one of the vendor scopes publicly associated with that supply-chain phase. Netresec identified the affected product as Swiss Ranger 1.0.14.706, the libMesaSR driver installer for MESA's industrial range cameras. The poisoned download looked like product support; the payload made it reconnaissance.

The malware installed a backdoor, reached command-and-control infrastructure, gathered credentials and system details, and could use an OPC scanning module to enumerate industrial control devices. According to the DOJ indictment, the wider Dragonfly/Havex operation infected more than 17,000 unique devices in the United States and abroad, including systems used around power and energy operations.

The MESA Imaging entry stays separate from eWON and MB Connect Line because the affected artifacts and vendor distribution paths differ. The campaign attribution is shared, but the package scope is not. The dates here track the public trojanized-download window reported for this artifact group, while the indictment describes earlier supplier-level access in the same broader operation.

Affected Artifacts

Swiss Ranger libMesaSR driver

· mesa-imaging.ch · Binary Archive

Observed: 2013-06-01 to 2013-07-31
Compromised Versions: 1.0.14.706
Fixed: Not listed
Hashes: md5:e027d4395d9ac9cc980d6a91122d2d83

sha256:398a69b8be2ea2b4a6ed23a55459e0469f657e6c7703871f63da63fb04cefe90
Evidence: distribution: mesa-imaging.ch, mirror: netresec.com, mirror: f-secure.com/documents/996508/1030745/Threat_Intelligence_Report_Havex_an_Energetic_Bear_Targets_ICS_SCADA.pdf, mirror: web.archive.org/web/20190717022917/https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dragonfly-threat-against-energy-sector-systems.pdf , +5 more

Netresec reported six weeks of exposure in June and July 2013, citing Symantec.
The DOJ indictment describes more than 17,000 infected devices across the broader Dragonfly/Havex campaign; this record does not assign that whole count to MESA Imaging.

Incident Context

Motive: Espionage Data Theft
Attribution: State
Cause: Website Compromise
Transitive: No
Actor: FSB Center 16 (Dragonfly/Energetic Bear)

External References

Full Disclosure of Havex Trojansnetresec.com
Havex Hunts For ICS/SCADA Systemsf-secure.com
Wikipedia: Havexen.wikipedia.org
ICS Alert ICS-ALERT-14-176-02A: Ongoing Sophisticated Malware Campaign Compromising ICScisa.gov
ICS Advisory ICSA-14-178-01: ICS Focused Malwarecisa.gov
Dragonfly: Cyberespionage Attacks Against Energy Suppliersweb.archive.org
US reveals Russian supply-chain attack on energy sectortheregister.com
Indictment: United States v. Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov, and Marat Valeryevich Tyukovjustice.gov

Source record: proprietary/mesa_imaging/meta.yaml