Dragonfly Havex ICS vendor compromises
Dragonfly/Energetic Bear compromised industrial software vendors and placed Havex malware in official downloads. The linked attacks preserve the separate MESA Imaging, eWON, and MB Connect Line distribution paths.
Story
Dragonfly, also tracked as Energetic Bear, turned industrial software distribution into an espionage path. During the Havex phase, the operators compromised ICS and SCADA vendor sites and made trusted downloads carry remote-access malware.
The vendor compromises were not interchangeable. MESA Imaging supplied industrial camera software, eWON supplied remote-access tooling, and MB Connect Line supplied router and maintenance utilities. Each download looked like legitimate support software for engineers working near operational environments.
Havex gave the operators remote access and reconnaissance capability, including an OPC-scanning component used to look for industrial control systems after infection. That made the trojanized installer more than a foothold; it was a way to map what kind of plant or energy environment the victim might be connected to.
The campaign matters because each vendor served a different operational niche, but the actor, malware family, infrastructure, and industrial targeting were shared. Vendor records remain separate so responders can search concrete products, versions, hashes, and download windows.
Linked Attacks
2014
As part of the DragonFly/Energetic Bear campaign, MB Connect Line, a German vendor of industrial routers and remote-access solutions, had official software installers trojanized with the Havex RAT.
Belgian ICS vendor eWON (later acquired by HMS Networks), which provides remote connectivity tools for industrial equipment, was targeted during the Dragonfly/Havex campaign attributed to Russia's FSB Center 16.
2013
MESA Imaging, a Swiss developer of 3D Time-of-Flight (ToF) cameras and related software used in industrial applications, was another vendor whose website was compromised during the Dragonfly/Havex campaign.
Campaign Context
- Actor
- FSB Center 16 (Dragonfly/Energetic Bear)
- Attribution
- State
- Cause
- Unknown
Affected Packages
Notes
- The DOJ indictment describes more than 17,000 infected devices across the broader operation; linked attack records do not assign that whole count to any single vendor.
External References
- Full Disclosure of Havex Trojansnetresec.com
- Havex Hunts For ICS/SCADA Systemsf-secure.com
- Wikipedia: Havexen.wikipedia.org
- ICS Alert ICS-ALERT-14-176-02A: Ongoing Sophisticated Malware Campaign Compromising ICScisa.gov
- ICS Advisory ICSA-14-178-01: ICS Focused Malwarecisa.gov
- Dragonfly: Cyberespionage Attacks Against Energy Suppliersweb.archive.org
- US reveals Russian supply-chain attack on energy sectortheregister.com
- Indictment: United States v. Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov, and Marat Valeryevich Tyukovjustice.gov
- Motives Behind Havex ICS Malware Campaign Remain a Mysterythreatpost.com
- Industrial Control Vendors Identified In Dragonfly Attacksecurityledger.com
Source record: proprietary/campaigns/dragonfly-havex-ics-2014/meta.yaml