Havex is a Remote Access Trojan (RAT) that communicates with a Command and Control (C&C) server. The C&C server can deploy payloads that provide additional functionality. The threat actors deploy malware using phishing emails, redirections to compromised websites, and most recently, update installers on at least three ICSs vendor websites. According to analysis, these techniques could have allowed attackers to access the networks of systems that have installed the software.
Since at least September 2020, a Russian state-sponsored APT actor—known variously as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala in open-source reporting—has conducted a campaign against a wide variety of U.S. targets. The Russian state-sponsored APT actor has targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and exfiltrated data from at least two victim servers. The Russian-sponsored APT actor is obtaining user and administrator credentials to establish initial access, enable lateral movement once inside the network, and locate high value assets in order to exfiltrate data. In at least one compromise, the APT actor laterally traversed an SLTT victim network and accessed documents related to Sensitive network configurations and passwords, Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA), IT instructions, such as requesting password resets, Vendors and purchasing information, Printing access badges etc.