Dale Peterson of the firm Digitalbond identified the vendors (http://www.digitalbond.com/blog/2014/07/02/havex-hype-unhelpful-mystery/) as MB Connect Line (http://mbconnectline.com/index.php/en/contact/company), a German maker of industrial routers and remote access appliances and eWon (http://www.ewon.biz/en/home.html), a Belgian firm that makes virtual private network (VPN) software that is used to access industrial control devices like programmable logic controllers. Peterson has also identified the third vendor, identified by F-Secure as a Swiss company, but told The Security Ledger that he cannot share the name of that firm.
The three firms, which serve customers in industry, including owners of critical infrastructure, were the subject of a warning from the Department of Homeland Security. DHS’s ICS CERT said it was alerted to compromises of the vendors’ by researchers at the security firms Symantec and F-Secure. (https://securityledger.com/2014/07/dhs-warns-energy-firms-of-malware-used-in-targeted-attacks/) DHS said it is analyzing malware associated with the attacks. The malicious software, dubbed “Havex” was being spread by way of so-called “watering hole” attacks that involved compromises of vendors web sites.
According to Symantec, the malware targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers. Most of the victims were located in the United States, Spain, France, Italy, Germany, Turkey, and Poland.
Symantec described the group behind the Dragonfly/Havex malware as “well resourced, with a range of malware tools at its disposal.” The security firm Crowdstrike said the attacks were part of a cybercrime group it dubbed “Energetic Bear” (http://www.reuters.com/article/2014/07/02/us-cybersecurity-energeticbear-idUSKBN0F722V20140702) that was focused on espionage and of Russian origin.
Contacted by The Security Ledger, Gérald Olivier, a Marketing Manager at eWon said the compromise of its website occurred in January, 2014. According to an incident report prepared by the company, the attackers compromised the content management system (CMS) used to manage the company’s website and uploaded a corrupted version of a setup program for an eWon product called Talk2M. Hyperlinks on the eWon page that linked to the legitimate Setup file were changed to point to the malicious file. If installed, the malware could capture the login credentials of eWon Talk2M customers. The second firm, MB Connect Line, did not respond to requests for comment from the Security Ledger."
Link to Original Source