StuxNet Like Virus Hits European Power Plants: Shutdown A Nation’s Grid With A Keystroke

Gov Slaves

(Swati Khandelwal)  Security researchers have uncovered a new Stuxnet like malware, named as “Havex”, which was used in a number of previous cyber attacks against organizations in the energy sector.

Just like Famous Stuxnet Worm, which was specially designed to sabotage the Iranian nuclear project, the new trojan Havex is also programmed to infect industrial control system softwares of SCADA and ICS systems, with the capability to possibly disable hydroelectric dams, overload nuclear power plants, and even can shut down a country’s power grid with a single keystroke.   

According to security firm F-Secure who first discovered it as Backdoor:W32/Havex.A., it is a generic remote access Trojan (RAT) and has recently been used to carry out industrial espionage against a number of companies in Europe that use or develop industrial applications and machines.

SMARTY PANTS, TROJANIZED INSTALLERS

To accomplish this, besides traditional infection methods such as exploit kits and spam emails, cybercriminals also used an another effective method to spread Havex RAT, i.e. hacking the websites of software companies and waiting for the targets to install trojanized versions of legitimate apps.

During installation, the trojanized software setup drops a file called “mbcheck.dll”, which is actually Havex malware, that attackers are using as a backdoor. “The C&C server will [then] instruct infected computers to download and execute further components,”
“We gathered and analyzed 88 variants of the Havex RAT used to gain access to, and harvest data from, networks and machines of interest. This analysis included investigation of 146 command and control (C&C) servers contacted by the variants, which in turn involved tracing around 1500 IP addresses in an attempt to identify victims.” F-Secure said.

F-secure didn’t mention the names of the affected vendors, but an industrial machine producer and two educational organizations in France, with companies in Germany were targeted.

INFORMATION GATHERING

Havex RAT is equipped with a new component, whose purpose is to gather network and connected devices information by leveraging the OPC (Open Platform Communications) standard.

OPC is a communications standard that allows interaction between Windows-based SCADA applications and process control hardware. The malware scans the local network for the devices that respond to OPC requests to gather information about industrial control devices and then sends that information back to its command-and-control (C&C) server.
Other than this, it also include information-harvesting tools that gather data from the infected systems, such as:

  • Operating system related information
  • A Credential-harvesting tool that stole passwords stored on open web browsers
  • A component that communicates to different Command-&-Control servers using custom protocols and execute tertiary payloads in memory.

“So far, we have not seen any payloads that attempt to control the connected hardware.” F-secure confirmed.

MOTIVATION?

While their motivation is unclear at this point, “We also identified an additional component used by the attackers that includes code to harvest data from infected machines used in ICS/SCADA systems. This indicates that the attackers are not just interested in compromising the networks of companies they are interested in, but are also motivated in having control of the ICS/SCADA systems in those organizations.” F-Secure noticed.

HAVEX TROJAN FROM RUSSIANS ?

In January this year, Cybersecurity firm CrowdStrike revealed about a cyber espionage campaign, dubbed “Energetic Bear,” where hackers possibly tied to Russian Federation penetrating the computer networks of energy companies in Europe, the United States and Asia.

According to CrowdStrike, the Malwares used in those cyber attacks were HAVEX RAT and SYSMain RAT, and possibly HAVEX RAT is itself a newer version of the SYSMain RAT, and both tools have been operated by the attackers since at least 2011.

That means, It is possible that Havex RAT could be somehow linked to Russian hackers or state-sponsored by Russian Government.

– See more at: http://govtslaves.info/stuxnet-like-virus-hits-european-power-plants-shutdown-nations-grid-keystroke/#sthash.QUZrRbKH.dpuf

5 thoughts on “StuxNet Like Virus Hits European Power Plants: Shutdown A Nation’s Grid With A Keystroke

  1. Stuxnet again….

    First Japan, then Iran, then Europe, I guess North America (as in both Canada and the US) is next, right, since it is making its way across the West?

    Didn’t Russia, China and India get hit with it too at one time? I don’t remember.

  2. What idiot connects a nuclear power plant capable of killing thousands and poisoning land the size of New York for 100 years….to the internet…and able to melt down the plant with a keyboard stroke. A child of 6 has more common sense than the people running government.

  3. ” Didn’t Russia, China and India get hit with it too at one time? I don’t remember”
    I don’t know for sure but something smells like something in the works.

  4. I’m thinking the US, Israel, Russia, China and maybe even Iran ALL have a copy of this Stuxnet virus and are just using it to try and one-up the other or to play crippling games against each other in order to deteriorate this world even more.

  5. you notice the attack vector is the usual one – WINDOWS

    if i was running a power plant or other industrial concern and caught anybody using windows i’d beat their ass with a steel pipe!

    i wont even allow it in my house.
    and why are industrial control systems networked to the internet anyway?
    that also requires some pipework!!!

Join the Conversation

Your email address will not be published. Required fields are marked *


*