{
	"id": "f372838d-3282-470f-bfe3-5dc83055653f",
	"created_at": "2026-04-06T00:22:02.11668Z",
	"updated_at": "2026-04-10T03:32:49.819851Z",
	"deleted_at": null,
	"sha1_hash": "d393fbf9aa10d631d0653c1b8ce7b6a5408ed563",
	"title": "ICS Focused Malware | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 66962,
	"plain_text": "ICS Focused Malware | CISA\r\nPublished: 2021-07-20 · Archived: 2026-04-05 14:51:23 UTC\r\nUpdated July 20, 2021: The U.S. Government attributes this activity to Russian nation-state cyber actors and\r\nassess that Russian nation-state cyber actors deployed Havex malware against industrial control systems. For\r\nmore information on Russian malicious cyber activity, refer to us-cert.cisa.gov/Russia.\r\nOVERVIEW\r\nThis advisory is a follow-up to the updated alert titled ICS-ALERT-14-176-02A that was published June 27, 2014,\r\non the NCCIC/ICS-CERT web site. This advisory provides additional details regarding ICS Focused Malware\r\nHavex.\r\nNCCIC/ICS-CERT is analyzing malware and artifacts associated with an industrial control system (ICS) focused\r\nmalware campaign that uses multiple vectors for infection. These include phishing emails, redirections to\r\ncompromised web sites and most recently, trojanized update installers on at least three ICSs vendor web sites, in\r\nwhat are referred to as watering-hole style attacks. Based on information ICS-CERT has obtained from Symantec\r\nand F-Secure  (web site last accessed June 27, 2014). The software installers for these vendors were infected\r\nwith malware known as the Havex Trojan (Backdoor.Oldrea ), web site last accessed June 27, 2014. According\r\nto analysis, these techniques could have allowed attackers to access the networks of systems that have installed the\r\ntrojanized software. Symantec describes the victims as Spain, US, France, Italy, and Germany in that order.\r\nSymantec has posted a Security Response whitepaper that details this activity and provides indicators of\r\ncompromise. Symantec also ties this campaign with previous watering hole activity, namely Trojan.Karagany and\r\nthe Lightsout exploit kit.\r\nThe Trojan.Karagany was previously identified by Cisco as part of another watering hole attack targeting energy\r\nand oil sectors.  This malware was analyzed and detailed by ICS-CERT in Analysis Report-14-30001 Cisco\r\nWatering-Hole Malware, located within the secure portal library.\r\nOPC PAYLOAD\r\nHavex is a Remote Access Trojan (RAT) that communicates with a Command and Control (C\u0026C) server. The\r\nC\u0026C server can deploy payloads that provide additional functionality. ICS‑CERT has identified and analyzed one\r\npayload that enumerates all connected network resources, such as computers or shared resources, and uses the\r\nclassic DCOM-based (Distributed Component Object Model) version of the Open Platform Communications\r\n(OPC) standard to gather information about connected control system devices and resources within the network.\r\nThe known components of the identified Havex payload do not appear to target devices using the newer OPC\r\nUnified Architecture (UA) standard.\r\nIn particular, the payload gathers server information that includes CLSID, server name, Program ID, OPC version,\r\nvendor information, running state, group count, and server bandwidth. In addition to more generic OPC server\r\nhttps://ics-cert.us-cert.gov/advisories/ICSA-14-178-01\r\nPage 1 of 6\n\ninformation, the Havex payload also has the capability of enumerating OPC tags. ICS-CERT is currently\r\nanalyzing this payload; at this time ICS-CERT has not found any additional functionality to control or make\r\nchanges to the connected hardware.\r\nICS-CERT testing has determined that the Havex payload has caused multiple common OPC platforms to\r\nintermittently crash. This could cause a denial of service effect on applications reliant on OPC communications.\r\nOPC provides an open standard specification that is widely used in process control, manufacturing automation,\r\nand other applications. The technology facilitates open connectivity and vendor equipment interoperability. The\r\noriginal version of the OPC specification, referred to as OPC classic, was implemented using Microsoft’s\r\nCOM/DCOM (Distributed Component Object Model) technology. In 2006, the OPC Foundation released a new\r\nstandard, referred to as OPC Unified Architecture (UA), which does not use COM/DCOM. The known\r\ncomponents of the identified HAVEX malware payload do not appear to target devices using the newer OPC UA\r\nstandard.\r\nICS-CERT tested the payload against multiple OPC servers. An example of the information gathered can be seen\r\nbelow.\r\nProgram was started at 09:20:11\r\n**************************************************************************\r\n09:20:11.0828: Start finging of LAN hosts...\r\n09:20:18.0109: Was found 3 hosts in LAN:\r\n                           01) [\\\\vmware-host\\Shared Folders]\r\n                           02) [\\\\FEAE35F]\r\n                           03) [\\\\SBWIN7]\r\n**************************************************************************\r\n09:20:18.0203: Start finging of OPC Servers...\r\n09:20:39.0390: Thread 01 return error code: 0x800706ba\r\n09:20:39.0390: Thread 02 return error code: 0x80070005\r\n09:20:39.0390: Thread 03 return error code: 0x800706ba\r\n09:20:39.0390: Thread 05 return error code: 0x80070005\r\n09:20:39.0390: Thread 06 return error code: 0x80070005\r\n09:20:39.0390: Was found 2 OPC Servers.\r\n         1) [Redacted Vendor Name]\r\nhttps://ics-cert.us-cert.gov/advisories/ICSA-14-178-01\r\nPage 2 of 6\n\nCLSID:               {Redacted Class ID}\r\n               UserType:            Redacted Vendor Name\r\n               VerIndProgID:        Redacted Vendor Name\r\n               OPC version support: +++\r\n         2) [Redacted Vendor Name]\r\n               CLSID:               {Redacted Class ID}\r\n               UserType:            Redacted Vendor Name\r\n               VerIndProgID:        Redacted Vendor Name\r\n               OPC version support: ++-\r\n**************************************************************************\r\n09:20:39.0500: Start finging of OPC Tags...\r\n09:20:39.0500: Thread 01 running...\r\n09:20:39.0531: Thread 02 running...\r\n09:20:51.0437: Thread 01 was terminated by ThreadManager(2)\r\n09:20:51.0546: Thread 02 was terminated by ThreadManager(2)\r\n09:20:53.0140: Thread 01 return error code: 0xfffffffe\r\n09:20:53.0171: Thread 02 return error code: 0xfffffffe\r\n   1) Redacted Vendor Name\r\n      Saved in 'OPCServer01.txt'\r\nThese data are stored in a file that is created in the user’s TEMP directory under a random name with an extension\r\nof “.tmp.dat.” When all information has been written to this file, an encrypted version of this file is created in the\r\nsame directory with a random name and a “.tmp.yls” extension. The plain text file is then deleted.\r\nIn addition to more generic OPC server information, the Havex payload also has the capability of enumerating\r\nOPC tags. Specifically, the server is queried for tag name, type, access and id. OPC tag information that is\r\ncollected is written to a separate file “OPCServerXX.txt” where XX is a number beginning from one and\r\nincrementing every time OPC tag information has been retrieved from an OPC server.\r\nOPC Server[\\\\Redacted Vendor Name]\r\nServer state: 1\r\nhttps://ics-cert.us-cert.gov/advisories/ICSA-14-178-01\r\nPage 3 of 6\n\nGroup count value: 0\r\nServer band width: ffffffff\r\n[root]\r\n  Redacted Vendor Info\r\nNone of the versions of the Havex malware payload that have been analyzed thus far contain any functionality to\r\ncontrol or make changes to connected control system devices.\r\nMITIGATIONS\r\nSymantec and F-Secure reports include technical indicators of compromise that can be used for detection and\r\nnetwork defense. ICS-CERT strongly recommends that organizations check their network logs for activity\r\nassociated with this campaign. Any organization experiencing activity related to this report should preserve\r\navailable evidence for forensic analysis and future law enforcement purposes. For more questions about incident\r\nhandling or preserving data, please reference ICS-CERT Incident Handling guidelines.\r\nICS-CERT has provided a Havex_Karagany.xlsx file on the US-CERT portal containing SHA1 hashes of malware\r\nfor both Havex and Karagany.\r\nOPC specific recommendations include:\r\nEnforce strict access control lists and authentication protocols for network level access to OPC clients and\r\nservers.\r\nRecommend DCOM/RPC communications are limited via the DCOMCNFG utility, because of well-known vulnerabilities inherent to RPC and DCOM.\r\nWhen using OPC.NET-based communications, ensure that the HTTP server enforces proper authentication\r\nand encryption of the OPC communications for both clients and servers.\r\nLeverage the OPC Security specification when possible.\r\nAvoid wide-scale use of local mirrored user accounts to facilitate DCOM authentication.\r\nFollow recommended guidelines for securing OPC communications via accounts that possess least-user\r\nprivileges.\r\nWhen tunneling cannot be used, limit the range of DCOM/RPC communications via the DCOMCNFG\r\nutility, and pay special attention to the use of OPC “callbacks” across security perimeters.\r\nVendor specific mitigation:\r\nDigitally signing code provides a mechanism for detecting software tampering and helps assure recipients\r\nthat the software does come from the vendor.\r\nVendors who have not digitally signed their code should compare cryptographic hashes from their secure\r\nsoftware repositories with the cryptographic hashes of files stored on public servers. These cryptographic\r\nhashes should also be made available to customers who are downloading the code, so that they can verify\r\nthe integrity of their download. Vendors may also consider scanning installation files stored on public\r\nhttps://ics-cert.us-cert.gov/advisories/ICSA-14-178-01\r\nPage 4 of 6\n\nservers using current antivirus software. ICS-CERT tested 16 common antivirus software applications\r\nagainst the Havex malware and found that most antivirus were able to detect the malware.\r\nAdditional mitigations to consider include:\r\nAlways keep your patch levels up to date, especially on computers that host public services accessible\r\nthrough the firewall, such as HTTP, FTP, mail, and DNS services.\r\nMaintain up-to-date antivirus signatures and engines, and apply them based on industrial control system\r\nvendor recommendations.\r\nBuild host systems, especially critical systems such as servers, with only essential applications and\r\ncomponents required to perform the intended function. Where possible remove or disable any unused\r\napplications or functions to limit the attack surface of the host.\r\nImplement network segmentation through V-LANs to limit the spread of malware.\r\nExercise caution when using removable media (USB thumb drives, external drives, CDs).\r\nConsider the deployment of Software Restriction Policy set to only allow the execution of approved\r\nsoftware (application whitelisting)\r\nWhitelist legitimate executable directories to prevent the execution of potentially malicious binaries.\r\nConsider the use of two-factor authentication methods for accessing privileged root level accounts or\r\nsystems.\r\nWhen remote access is required, consider deploying two-factor authentication through a hardened\r\nIPsec/VPN gateway with split-tunneling prohibited for secure remote access. Be prepared to operate\r\nwithout remote access during an incident if required.\r\nImplement a secure socket layer (SSL) inspection capability to inspect both ingress and egress encrypted\r\nnetwork traffic for potential malicious activity.\r\nMinimize network exposure for all control system devices. Control system devices should not directly face\r\nthe Internet.\r\nPlace control system networks behind firewalls and isolate or air gap them from the business network.\r\nProvide robust logging such as network, host, proxy, DNS and IDS logs.\r\nLeverage the static nature of control systems to look for anomalies.\r\nUse configuration management to detect changes on field devices. Produce an MD5 checksum of clean\r\ncode to verify any changes.\r\nPrepare for an incident with a dedicated incident response team and an incident response plan. Test both\r\nyour plan and your team.\r\nICS-CERT and US-CERT remind organizations to perform proper impact analysis and risk assessment\r\nprior to taking defensive measures.\r\nAdditional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical\r\nInformation Paper, ICS-TIP-12-146-01B—Targeted Cyber Intrusion Detection and Mitigation Strategies, that is\r\navailable for download from the ICS-CERT web site (www.ics-cert.org).\r\nICS-CERT also provides a recommended practices section for control systems on the US-CERT web site. Several\r\nrecommended practices are available for reading or download, including Improving Industrial Control Systems\r\nCybersecurity with Defense-in-Depth Strategies.\r\nhttps://ics-cert.us-cert.gov/advisories/ICSA-14-178-01\r\nPage 5 of 6\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and\r\nreport their findings to ICS-CERT for tracking and correlation against other incidents.\r\nSource: https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01\r\nhttps://ics-cert.us-cert.gov/advisories/ICSA-14-178-01\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01"
	],
	"report_names": [
		"ICSA-14-178-01"
	],
	"threat_actors": [
		{
			"id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28",
			"created_at": "2023-01-06T13:46:38.39927Z",
			"updated_at": "2026-04-10T02:00:02.958273Z",
			"deleted_at": null,
			"main_name": "ENERGETIC BEAR",
			"aliases": [
				"BERSERK BEAR",
				"ALLANITE",
				"Group 24",
				"Koala Team",
				"G0035",
				"ATK6",
				"ITG15",
				"DYMALLOY",
				"TG-4192",
				"Crouching Yeti",
				"Havex",
				"IRON LIBERTY",
				"Blue Kraken",
				"Ghost Blizzard"
			],
			"source_name": "MISPGALAXY:ENERGETIC BEAR",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434922,
	"ts_updated_at": 1775791969,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d393fbf9aa10d631d0653c1b8ce7b6a5408ed563.pdf",
		"text": "https://archive.orkl.eu/d393fbf9aa10d631d0653c1b8ce7b6a5408ed563.txt",
		"img": "https://archive.orkl.eu/d393fbf9aa10d631d0653c1b8ce7b6a5408ed563.jpg"
	}
}