eWON VPN installer delivered Havex
Part of the Dragonfly Havex ICS vendor compromises campaign
Belgian ICS vendor eWON (later acquired by HMS Networks), which provides remote connectivity tools for industrial equipment, was targeted during the Dragonfly/Havex campaign attributed to Russia's FSB Center 16.
Story
Dragonfly, also called Energetic Bear, Crouching Yeti, and Berzerk Bear, did not need to invent a new trust path into industrial networks. It used the one engineers already followed. During the Havex phase, the operators compromised ICS and SCADA software providers and placed malware inside legitimate vendor downloads.
eWON was one of the public vendor scopes tied to that activity. Its Talk2M remote-access tooling, including the eCatcher VPN client, was a valuable bridge between ordinary workstations and operational environments. A poisoned installer from the official vendor site could enter a plant as maintenance software, not as an obvious intrusion.
Havex gave the operators a backdoor, contacted command infrastructure, gathered host and credential information, and could deploy an OPC scanning component to look for industrial control devices. The DOJ indictment says the broader campaign put malware on more than 17,000 unique devices in the United States and elsewhere, including systems tied to power and energy operations.
Netresec tied two eWON artifacts to the public Havex set: Talk2M eCatcher 4.0.0.13073 and eGrabIt 3.0.0.82. The record stays separate from the other Havex vendor compromises because the affected products, files, and distribution path are distinct even when the actor and campaign are the same.
Affected Artifacts
- Observed
- 2014-01-01 to 2014-01-31
- Compromised Versions
- Fixed
- Not listed
- Hashes
-
- md5:eb0dacdc8b346f44c8c370408bad4306
- sha256:70103c1078d6eb28b665a89ad0b3d11c1cbca61a05a18f87f6a16c79b501dfa9
- Evidence
- distribution: ewon.biz, mirror: netresec.com, mirror: web.archive.org/web/20190717022917/https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dragonfly-threat-against-energy-sector-systems.pdf, mirror: f-secure.com/documents/996508/1030745/Threat_Intelligence_Report_Havex_an_Energetic_Bear_Targets_ICS_SCADA.pdf , +5 more
- Netresec reported ten days of exposure in January 2014 and 250 downloaded copies, citing Symantec.
- The DOJ indictment describes more than 17,000 infected devices across the broader Dragonfly/Havex campaign; this record does not assign that whole count to eWON.
- Observed
- 2014-01-01 to 2014-01-31
- Compromised Versions
- Fixed
- Not listed
- Hashes
-
- md5:1080e27b83c37dfeaa0daaa619bdf478
- sha256:0007ccdddb12491e14c64317f314c15e0628c666b619b10aed199eefcfe09705
- Evidence
- distribution: ewon.biz, mirror: netresec.com, file: egrabitsetup.exe, malware: Havex RAT 038 , +1 more
- Netresec listed the exposure window for eGrabIt as unknown and reported first VirusTotal submission on 2014-01-29.
Incident Context
- Motive
- Espionage Network Reconnaissance
- Attribution
- State
- Cause
- Website Compromise
- Transitive
- No
- Actor
- FSB Center 16 (Dragonfly/Energetic Bear)
External References
- Full Disclosure of Havex Trojansnetresec.com
- Motives Behind Havex ICS Malware Campaign Remain a Mysterythreatpost.com
- Dragonfly: Cyberespionage Attacks Against Energy Suppliersweb.archive.org
- ICS Alert ICS-ALERT-14-176-02A: Ongoing Sophisticated Malware Campaign Compromising ICScisa.gov
- ICS Advisory ICSA-14-178-01: ICS Focused Malwarecisa.gov
- Havex Hunts For ICS/SCADA Systemsf-secure.com
- US reveals Russian supply-chain attack on energy sectortheregister.com
- Indictment: United States v. Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov, and Marat Valeryevich Tyukovjustice.gov
Source record: proprietary/ewon/meta.yaml