Skip to content ↓ | Skip to navigation ↓

The notorious cyber espionage operation discovered several weeks ago, known as “Energetic Bear,” is continuing to make rounds across the globe, affecting more than 2,800 known victims, including 101 identified organizations.

After in-depth studies, researchers at Kasperky Lab revealed that the attacks have expanded into industries beyond the industrial, manufacturing and machinery sectors, now including the pharmaceutical, construction, education and IT industries, as well.

The malicious campaign was originally believed to originate from Russia more than four years ago; however, after further investigation, researchers also found traces from Swedish- and French-speaking actors. In turn, researchers have renamed the malware “Crouching Yeti,” as its origin is yet unclear.

According to Kasperky Lab, “This list of victims seems to indicate Crouching Yeti’s interest in strategic targets, but it also shows an interest of the group in many other not-so-obvious institutions.”

“[We] believe they might be collateral victims, but it might also be reasonable to redefine Crouching Yeti not only as a highly targeted campaign in a very specific area of interest, but also as a broad surveillance campaign with interests in different sectors.”

Meanwhile, researchers also noted that the malware seems “hardly sophisticated,” with attackers using only exploits that are widely available online. To infect the victims, researchers found attackers rely on the following three methods:

  • Spear-fishing e-mails using PDF documents embedded with an Adoble Flash exploit (CVE-2011-0611);
  • Trojanized software installers; and
  • Waterhole attacks through a variety of re-used exploits

In addition, research indicated the campaign uses various malware, or Trojans, exclusively infecting Windows systems:

  • Havex Trojan
  • Sysmain Trojan
  • The ClientX backdoor
  • Karagny backdoor and related stealers
  • Lateral movement and second stage tools

“At this time, the group’s main objective appears to be intelligence collection, but this intelligence could be used to disrupt networks or utilities at any time by Energetic Bear or sold to the highest bidder,” said Lamar Bailey, leader of Tripwire’s Vulnerability and Exposure Research Team (VERT).

“Malware protection companies are scrambling to detect all the variants of of the RATs used when they are discovered but organizations should be keeping a close eye on critical systems looking for unauthorized changes or communications indicative of a compromise.”

The researchers will continue to investigate the malicious campaign while working with law enforcement industry partners.

Read the full report here. (PDF)

Listen to our ‘Beware of Energetic Bear’ podcast here.