Crouching Yeti still spying
Cyber espionage campaign still active, origins of attacks unclear
Kaspersky Lab has warned that the cyber espionage campaign known both as Energetic Bear and Crouching Yeti is still actively spying on a wide range of institutions worldwide.
Energetic Bear/Crouching Yeti has been active since at least 2010, the security company said, with over 2,800 targets worldwide in sectors including industrial/machinery, manufacturing, pharmaceutical, construction, education, and information technology.
A new analysis of the malware and command and control (C&C) infrastructure of the campaign by Kaspersky has shown that the attack does not use highly sophisticated malware, and also throws doubt on the presumed origin of the campaign.
‘Energetic Bear' was originally named by security technology vendor CrowdStrike - ‘energetic' because it was mainly thought to target the energy sector and ‘bear' because it was presumed to be of Russian origin.
Kaspersky say there is no strong evidence of the origin of the campaign, hence it should be renamed ‘Yeti' because Yetis "have a mysterious origin".
The file time stamps on Crouching Yeti related documents could be related to any country in eastern or western Europe, Kaspersky notes, while strings present in the analyzed malware are in English (written by non-natives), with no Cyrillic (Russian alphabet) content or transliteration which had been seen in other campaigns of known Russian origin. Language clues pointing at French and Swedish speakers were found.
Nicolas Brulez, Principal Security Researcher at Kaspersky Lab, said: "The Energetic Bear was the initial name given to this campaign by CrowdStrike according to their nomenclature. The Bear goes for attribution, and CrowdStrike believes this campaign has a Russian origin. Kaspersky Lab is still investigating all existing leads; however, at the moment there are no strong points in either direction. Also our analysis demonstrates that the attackers' global focus is much broader than just power producers. Based on this data, we decided to give a new name to the phenomenon: a Yeti reminds one of a bear, but it has a mysterious origin."
Kaspersky now believes the campaign is not just highly targeted against the energy sector, but is a broader surveillance campaign monitoring different sectors.
Victims have been detected in United States, Spain and Japan, as well as Germany, France, Italy, Turkey, Ireland, Poland and China.
Crouching Yeti mainly infects targets using spearphishing using PDF documents embedded with a flash exploit, Trojanized software installers and waterhole attacks using a variety of re-used exploits. Kaspersky notes that the campaign does not use any zero-day exploits, only known exploits, and is mainly reliant on five types of tools to steal data from infected targets, namely the Havex trojan; Sysmain trojan; ClientX backdoor; Karagany backdoor and related stealers and Lateral movement and second stage tools.
The most widely used tool is the Havex Trojan. In total Kaspersky Lab researchers discovered 27 different versions of this malicious program and several additional modules, including tools aimed at gathering data from industrial control systems.
For command and control, Havex and the other malicious tools used by Crouching Yeti connect to a large network of hacked websites. These sites host victim information and serve commands to infected systems along with additional malware modules.
The list of downloadable modules includes tools for password and Outlook contacts' stealing, screenshot capturing, and also modules for searching and stealing certain types of files: text documents, spreadsheets, databases, PDF files, virtual drives, password protected files, pgp security keys, etc.
At present, the Havex Trojan is known to have two very special modules aimed at gathering and transmitting to the attacker data from specific industrial IT environments. The OPC scanner module is designed to collect the extremely detailed data about the OPC servers running in the local network. Such servers are usually used where multiple industrial automation systems are operating. The second module is a network scanning tool designed to scan the local network, look for all computers listening on ports related to OPC/SCADA software, and try to connect to such hosts in order to identify which potential OPC/SCADA system is running, and transmit all gathered data to the command & control servers.
Kaspersky Lab products detect and eliminate all variants of the malware used in this campaign, the company said.