Kaspersky report on Energetic Bear – Crouching Yeti APT campaign

The Kaspersky Lab Team has issued a report which includes details of the investigation related to the Energetic Bear – Crouching Yeti APT campaign.

Energetic Bear, aka Crouching Yeti, is the recently discovered APT campaign that targeted energy companies, manufacturers, industrial, pharmaceutical, construction, and many IT companies.

Security experts have analyzed the Energetic Bear APT campaign, which appears to be a long-term operation which targeted companies in several countries, Kaspersky Lab Team, for example, published a report which details the attack chain and control infrastructure used by bad actors.

The Energetic Bear APT campaign is mainly focused on cyber espionage, the bad actors used malware based attacks to siphon sensitive information from targeted organizations.

The company has identified nearly 2800 victims worldwide, the attackers used a large network of hacked websites (219 domains) as command and control infrastructure, the majority of these websites were legitimate and were used to serve malware and instruct bot agents worldwide to collect information on targeted systems. Most of the 2,800 companies identified as victims of the attack are in the industrial/machinery market and researchers say the most-targeted countries are the United States, Spain, Japan and Germany. The bad actor behind Energetic Bear APT campaign used to compromise poorly configured servers to server RAT.

” They ran vulnerable content management systems or vulnerable web applications. None of the exploits used to compromise the servers were known to be zero-day. None of the client side exploits re-used from the open source metasploit framework were zero-day.” reports the report published by Kaspersky Lab.

The attackers used the following attack scheme to infect victims:

• Spearphishing using PDF documents embedded with a flash exploit (CVE-2011-0611)
• Trojanized software installers
• Waterhole attacks using a variety of re-used exploits

Experts at Kaspersky have identified 219 unique domain names for these C&C servers hosted in 21 different countries, the majority of C&C servers was located in the US (81 servers), Germany (33 servers), the Russian Federation (19 servers) and the United Kingdom (7 servers).

Bad actors behind the Energetic Bear APT campaign used several malicious codes which targeted only Windows systems, the toolset adopted has remained stable over time according to Kaspersky experts:
• Havex Trojan
• Sysmain Trojan
• The ClientX backdoor
• Karagany backdoor and related stealers
• Lateral movement and second stage tools

The experts speculated that the cyber espionage campaign began as early as 2010, despite active infections have fallen by about 50 percent since the beginning of 2014 according to the data provided by Kaspersky.

The bad actors behind the  Energetic Bear APT campaign are highly determined and focused on a very specific industrial sector of vital interest, the hackers which are operating the Energetic Bear APT campaign are most active during the week, a circumstance that suggests to me that they could be state-sponsored hackers.