We are getting a large number of reports of targetted attacks aimed at Pharmaceutical companies in the US and Europe. We have seen several different variants of a new malware campaign known a "Havex" that are not being detected by AV products.
1. Out of thousands of possible ICS suppliers, the three companies
targeted for trojanized software were not primary suppliers to “energy”
facilities. Instead, all three offered products and services most
commonly used by the pharmaceutical industry.
2. The Dragonfly attack is very similar in nature to another campaign
called Epic Turla and is likely managed by the same team. Epic Turla has
been shown to have targeted the intellectual property of pharmaceutical
companies.
3. The Dragonfly malware contained an Industrial Protocol Scanner module
that searched for devices on TCP ports 44818 (Omron, Rockwell
Automation), 102 (Siemens) and 502 (Schneider Electric). These protocols
and products have a higher installed base in packaging and
manufacturing applications typically found in consumer packaged goods
industries, such as pharmaceutical rather than the energy industry.
“My research, coupled with my knowledge of the pharmaceutical industry,
led me to conclude that it was the target of Dragonfly,” remarked
Langill. “The potential damage could include the theft of proprietary
recipes and production batch sequence steps, as well as network and
device information that indicate manufacturing plant volumes and
capabilities.”
No comments:
Post a Comment