Home -> Resources -> Dragonfly/Havex


Working in cooperation with Belden, Joel Langill of RedHat Cyber and founder of SCADAhacker.com has released one of the most comprehensive technical reports on the Dragonfly campaign and the impact of the Havex malware on industrial control systems, including new insight into who this attack may have been targeting (hint ... it is NOT the Energy Sector!). This four part series breaks the analysis into a set of "ABCD's for ICS", describing the Attack, the Building Blocks, the Consequences, and the Defenses. Click here for details.

Dragonfly/Havex Reference Material

The following material was compiled from a variety of relability sources, and contains information covering the various aspects of the Dragonfly/Energetic Bear campaign and the Havex trojan directly and indirectly targeting industrial control systems. If you find anything new and useful, including some sample binary code, please email me.

Detailed Analysis and Reports

Dragonfly (Security Response) - Version 1.0 - published by Symantec June 30, 2014
Western Energy Companies Under Sabotage Threat - published by Symantec June 30, 2014
Havex Hunts for ICS/SCADA Systems - published by F-Secure June 23, 2014

Industrial Control System
Cyber Emergency Response Team (ICS-CERT)

ICSA-14-178-01 - published June 30, 2014
ICS-ALERT-14-176-02A - published June 27, 2014

Blogs and Posts of Interest (most recent first)

List Last Updated: July 9, 2014 - 7:45am GMT

Added July 9, 2014
Motives Behind Havex ICS Malware Campaign Remain a Mystery - ThreatPost - 7/7/14
Stakes rising as malware matures - GCN - 7/7/14
Russian Programmers Look to Control-Alt-Delete U.S. Energy - Motley Fool - 7/7/14
U.S. Urges Energy Companies To Be On Guard Against Russian Cyberattacks - OilPrice.com - 7/6/14
US Midwest power grid thwarts cyberattack - Economic Times - 7/5/14
Malware Targets Industrial Controls and OPC Servers - Drives & Controls - 7/3/14
Dragonfly and cybercrime: A global threat needs a global response - Oil & Gas Technology - 7/3/14
US Energy Firms Report Cyber Attacks - TechWeek Europe - 7/3/14
An anti-US Stuxnet? Startling attack against industrial complex revealed - CSM - 7/1/14
Havex Malware Targets ICS/SCADA Systems - Cimation - 6/30/14

Operation Dragonfly Imperils Industrial Protocol - McAfee (Samani) - 7/2/14
Russia attacks U.S. oil and gas companies in massive hack - CNN - 7/2/14
Hackers Find Open Back Door to Power Grid With Renewables - Bloomberg - 7/2/14
Hackers attacking oil, gas companies using 'Energetic Bear' - FoxNews - 7/1/14
Energy firms hacked by 'cyber-espionage group Dragonfly' - BBCNews - 7/1/14
Dragonfly Russian Hackers Target 1000 Western Energy Firms - Hacker News - 7/1/14
Energy Companies Face Threats From Group Linked to Defense Industry Attacks - WSJ - 6/30/14
Energy Companies Hit by Cyber Attack from Russia-linked Group - Financial Times - 6/30/14
ICS Malware Found on Vendors' Update Installers - ThreatPost - 6/30/14
Dragonfly: Western Energy Companies Under Sabotage Threat - Symantec - 6/30/14
Havex SCADA RAT Summary Report: Analyst Feedback and Remediations - CWZ - 6/27/14
Attackers fling Stuxnet-style RATs at critical control software in EUROPE - The Register - 6/26/14
DHS Investigating Havex Trojan Which Targets Energy Companies - WSJ - 6/26/14
'Havex' malware strikes industrial sector via watering hole attacks - SC Magazine - 6/25/14
New Havex malware variants target industrial control system, SCADA users - ComputerWorld - 6/24/14
New Havex malware variants target industrial control system and SCADA users - PCWorld - 6/24/14
Havex Hunts for ICS/SCADA Systems - F-Secure - 6/23/14
Talk2M Incident Report - eWon - 1/30/14

Latest News from Google

Indicators of Compromise Data

dragonfly ics scada compromise - 7/3/14 - OpenIOC (IOCBucket.com)
havex rat - 6/29/14 - YARA - (IOCBucket.com)
havex ics_scada espionage malware - 6/27/14 - OpenIOC (IOCBucket.com)

Madiant OpenIOC Editor/Viewer

White Papers Co-Authored by SCADAhacker

Cyberespionage Campaign Hits Energy Companies ( US format | A4 format )

Other Valuable Information

Global Threat Report 2013 - (Crowd Strike)

Click to Enlarge

Havex OPC Payload - String Definitions Sample
Havex OPC Payload - String Definitions Sample
Images by SCADAhacker

Havex OPC Payload Executable Code Sample
Havex OPC Payload - Executable Code Sample
Images by SCADAhacker

Indicators of Compromise using Mandiant eIOC Editor
Indicators of Compromise
Software by Mandiant / Images by SCADAhacker

Timeline of Dragonfly Operations (Symantec)
Dragonfly/Havex Timeline
Source: Symantec