MB Connect Line delivered Havex
Part of the Dragonfly Havex ICS vendor compromises campaign
As part of the DragonFly/Energetic Bear campaign, MB Connect Line, a German vendor of industrial routers and remote-access solutions, had official software installers trojanized with the Havex RAT.
Story
Dragonfly treated industrial software distribution as infrastructure worth owning. In the Havex phase, the group compromised ICS and SCADA vendors, then made altered installers available through the channels customers already trusted. The result was an espionage tool delivered with the shape and timing of ordinary maintenance.
MB Connect Line fit that pattern. Its routers and remote-access utilities sit close to industrial operations, where mbCONFTOOL, mbCHECK, and VCOM_LAN2 can be used by engineers and support staff. A poisoned vendor download did not have to cross the plant boundary by force; the customer carried it in as part of normal administration.
Once installed, Havex opened remote access, collected host data and credentials, and could run an OPC-focused discovery module to identify industrial control systems. The DOJ indictment says the broader Dragonfly/Havex operation infected more than 17,000 unique devices worldwide, including equipment connected to power and energy organizations.
MB Connect Line later said three files were replaced on its website from April 16 to April 23, 2014: mbCHECK for Europe, VCOM_LAN2, and mbCONFTOOL. This record is intentionally vendor-scoped. It belongs to the same Dragonfly/Havex campaign as eWON and MESA Imaging, but the artifact group and distribution location are distinct.
Affected Artifacts
- Observed
- 2014-04-16 to 2014-04-23
- Compromised Versions
- Fixed
- Not listed
- Hashes
-
- md5:0a9ae7fdcd9a9fe0d8c5c106e8940701
- sha256:c32277fba70c82b237a86e9b542eb11b2b49e4995817b7c2da3ef67f6a971d4a
- Evidence
- distribution: mbconnectline.com, mirror: netresec.com, mirror: web.archive.org/web/20190717022917/https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dragonfly-threat-against-energy-sector-systems.pdf, mirror: cisa.gov/news-events/ics-alerts/ics-alert-14-176-02a , +5 more
- MB Connect Line reported this infected file was available from 2014-04-16 through 2014-04-23.
- Observed
- 2014-04-16 to 2014-04-23
- Compromised Versions
- Fixed
- Not listed
- Hashes
-
- md5:1d6b11f85debdda27e873662e721289e
- sha256:0b74282d9c03affb25bbecf28d5155c582e246f0ce21be27b75504f1779707f5
- Evidence
- distribution: mbconnectline.com, mirror: netresec.com, file: mbCHECK.exe, malware: Havex RAT 043 , +2 more
- Netresec noted only the Europe build of mbCHECK was reported trojanized, not the USA/CAN build.
- The DOJ indictment describes more than 17,000 infected devices across the broader Dragonfly/Havex campaign; this record does not assign that whole count to MB Connect Line.
- Observed
- 2014-04-16 to 2014-04-23
- Compromised Versions
- Unknown
- Fixed
- Not listed
- Evidence
- distribution: mbconnectline.com, mirror: netresec.com, file: setupvcom_lan2.exe, malware: Havex RAT
- MB Connect Line reported VCOM_LAN2 was replaced during the same April 2014 window, but Netresec did not have a malware sample and did not publish hashes.
Incident Context
- Motive
- Espionage Network Reconnaissance
- Attribution
- State
- Cause
- Website Compromise
- Transitive
- No
- Actor
- FSB Center 16 (Dragonfly/Energetic Bear)
External References
- Full Disclosure of Havex Trojansnetresec.com
- Industrial Control Vendors Identified In Dragonfly Attacksecurityledger.com
- ICS Alert ICS-ALERT-14-176-02A: Ongoing Sophisticated Malware Campaign Compromising ICScisa.gov
- ICS Advisory ICSA-14-178-01: ICS Focused Malwarecisa.gov
- Dragonfly: Cyberespionage Attacks Against Energy Suppliersweb.archive.org
- Havex Hunts For ICS/SCADA Systemsf-secure.com
- US reveals Russian supply-chain attack on energy sectortheregister.com
- Indictment: United States v. Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov, and Marat Valeryevich Tyukovjustice.gov
Source record: proprietary/mb_connect/meta.yaml