Havex operators target mission-critical controllers around the world.

Corporate spies have found an effective way to plant their malware on the networks of energy companies and other industrial heavyweights—by hacking the websites of software companies and waiting for the targets to install trojanized versions of legitimate apps.

That's what operators of the Havex malware family have done with aplomb, according to a report published Tuesday by researchers from antivirus provider F-Secure. Over the past few months, the malware group has taken a specific interest in the types of industrial control systems (ICS) used to automate everything from switches in electrical substations to sensitive equipment in nuclear power plants. In addition to the normal infection channels of spam e-mail, the malware operators have added a new tack—replacing the normal installation files of third-party software with tainted copies that surreptitiously install a remote access trojan (RAT) on the computers of targeted companies.

"It appears the attackers abuse vulnerabilities in the software used to run the websites to break in and replace legitimate software installers available for download to customers," F-Secure researchers Daavid Hentunen and Antti Tikkanen wrote. "Our research uncovered three software vendor sites that were compromised in this manner. The software installers available on the sites were trojanized to include the Havex RAT. We suspect more similar cases exist but have not been identified yet."

The compromised websites belong to companies involved in the development of software used in industrial applications. Two of them supply remote management software used in ICS systems, and the third develops high-precision industrial cameras and related software. The unidentified software companies are located in Germany, Switzerland, and Belgium.

Invisible to the naked eye

The post goes on to demonstrate how hard it is to spot anything amiss in the trojanized*installers. A dynamic analysis of one of the tainted installers showed it was nearly identical to the clean installer except for a single file—mbcheck.dll—that installs the RAT Havex operators use as a backdoor. The user is left with a computer that runs the third-party software as normal but is also wide open to the spies. F-Secure researchers hacked the poorly secured command and control servers used in the campaign and found that all of the targeted companies were associated in some way with the development or use of industrial applications or machines. One of the unnamed targets was located in California, and most or all of the others were in Europe.

Infected computers send a detailed list of all the other machines connected to the same local area network. They pinpoint machines that have "OPCServer" in their names. That's another indication of the interest in ICS systems, since Microsoft's OLE for Process Control is a standard way for Windows machines to interact with automated process control hardware, the F-Secure post notes. Using the Microsoft framework, the Havex trojan gathers details about connected devices. F-Secure researchers inside the command and control servers were able to monitor infected computers belonging to companies in multiple industries.

Infecting ICS and supervisory control and data acquisition (SCADA) gear used in even more mission-critical settings came into sharp focus following the discovery of Stuxnet, the cyberweapon that burrowed in to an Iranian nuclear facility and destroyed uranium centrifuges. More recently there was the revelation of another ICS hack on the heating system of a New Jersey company. F-Secure's monitoring of the Havex operators indicates that attacks are only becoming more effective.
"The attackers behind Havex are conducting industrial espionage using a clever method," Tuesday's report concluded. "Trojanizing ISC/SCADA software installers is an effective method in gaining access to target systems, potentially even including critical infrastructure."