Crouching Yeti: An active spy campaign with more than 2.800 targets worldwide. Crouching Yeti also turned against targets in Greece and the wider Southeast Europe
Η Kaspersky Lab προχώρησε στη δημοσίευση νέας ανάλυσης σχετικά με το κακόβουλο λογισμικό και την υποδομή του Command & Control server που σχετίζονται με την εκστρατεία ψηφιακής Crouching Yeti, as reported by experts from the Global Research and Analysis team of the company. The campaign entered into force at 2010, and it is definitely in place even today, targeting new victims every day. It is noted that this campaign is also known as Energetic Bear.
Nicolas Brulez, Principal Security Researcher of Kaspersky Lab, said: "This campaign was originally called Energetic Bear by Crowd Strike, according to its nomenclature. The "Bear" refers to the potential origin of the campaign, as Crowd Strike believes it has begun to start with Russia. Kaspersky Lab is still investigating all existing assets. However, at this time there are no strong indications in any direction. Also, our analysis shows that the global targeting of the attackers extends beyond the energy producers where the campaign seems to have originally focused. Based on these facts, we decided to give a new name to the campaign. Yeti reminds a bear, but its origin is mysterious. "
Crouching Yeti is involved in several Advanced Persistent Threat (APT) campaigns. According to a Kaspersky Lab survey, victims cover a wide range of businesses and organizations. Most of the recognized victims come from the following sectors: industry / mechanical equipment, manufacturing, pharmaceutical industry, construction, education and IT.
In total, the identified victims exceed 2.800 worldwide, of which Kaspersky Lab researchers were able to identify 101 companies/organizations. Based on the relevant list, the Crouching Yeti seems to focus on strategic objectives. However, it also appears that attackers are also attracted to other, less "obvious" targets. Kaspersky Lab experts believe that the latter may be "collateral victims". However, it may also make sense to view the Crouching Yeti not only as a highly targeted campaign focused on a very specific area of interest, but also as a broad tracking campaign with interest in various areas. The companies and organizations that were attacked are mainly located in USA, in Spain and Japan.
Apart from the above countries, Crouching Yeti also acted in Greece. Especially for our country, Kaspersky Lab's research has recognized that the campaign has hit the network of a public research and technology academy and a multinational courier service. Crouching Yeti has also turned against different types of targets in the wider region of Southeastern Europe. His victims include, among other things, a high-speed computer network operator in Turkey, while in Croatia, an academic / research network and a physics institute fell victim.
Given the nature of the identified victims, the main implication for them is the leakage of highly sensitive information, such as trade secrets, know-how, etc.
Industrial Espionage: Malicious tools with multiple add-ons
Crouching Yeti is not a very complicated campaign. For example, attackers did not use zero-day vulnerabilities, but programs that were developed for already known vulnerabilities. However, this did not prevent the campaign from remaining unnoticed for several years.
Kaspersky Lab researchers have found evidence of five types of malicious tools used by attackers to extract valuable information from compromised systems:
- The Havex trojan
- The Sysmain trojan
- ClientX backdoor
- Karaganybackdoor and related stealers programs
- Secondary movements and second level tools
Το Havex Trojan ήταν το εργαλείο που χρησιμοποιήθηκε περισσότερο. Συνολικά, οι ερευνητές της Kaspersky Lab ανακάλυψαν 27 διαφορετικές εκδοχές αυτού του κακόβουλου προγράμματος και αρκετές πρόσθετες μονάδες, συμπεριλαμβανομένων εργαλείων που αποσκοπούν στη συλλογή δεδομένων από βιομηχανικά συστήματα ελέγχου. Τα προϊόντα της Kaspersky Lab εντοπίζουν και εξουδετερώνουν όλες τις παραλλαγές του κακόβουλου software used in this campaign.
To manage and control the campaign, Havex and other malicious tools are linked to a large network of malicious Web sites. These sites "harbor" victim information and execute commands to infected systems, along with extra malicious units.
The list of these extra modules includes tools for hacking Outlook passwords and contacts, taking screenshots, and tools for search and stealing certain types of files such as: text documents, spreadsheets, databases, PDF files, virtual disks, password protected files, pgp security keys, etc.
At present, the Havex Trojan is known to have two highly specialized units, aimed at collecting data from specific industrial IT environments and passing it on to the attacker. The OPC scanner module is designed to collect highly detailed data about OPC servers running on a local network. Such servers are commonly used where multiple industrial automation systems operate. The second unit is a network scan tool, which looks for all computers connected to ports associated with OPC / SCADA software. This tool tries to connect to such hosts in order to identify the possible OPC / SCADA system in operation. It then transmits all the data collected to the command & control servers.
Mysterious origin
Kaspersky Lab researchers have observed several meta features that could testify to the ethnic origins of the criminals behind the campaign. In particular, they analyzed the 154 time stamp and concluded that most samples were assembled between 06: 00 and 16: 00 UTC (Coordinated World Time). These hours could correspond to any country in Europe as well as Eastern Europe.
Also, the company's experts also analyzed the agent's language. The elementsseries present in the malware to be analyzed are in English (written by non-native speakers). Unlike several previous researchers of this campaign, Kaspersky Lab experts could not conclude that this agent is of Russian origin. Almost 200 malicious executables and their associated operational content have no Cyrillic content (or any corresponding metagram) at all, unlike recorded findings for campaigns such as RedOctober, Miniduke, Cosmic duke, Snake and TeamSpy. Also, language data leads to French and Swedish speakers.
Kaspersky Lab experts continue their research on this campaign while also collaborating with law enforcement authorities and industrial partners. You can find the full text of the research available at Securelist.com.
