Kaspersky report on Energetic Bear – Crouching Yeti APT campaign

The Kaspersky Lab Team has issued a report which includes details on the investigation related to the Energetic Bear – Crouching Yeti APT campaign.

Energetic Bear, aka Crouching Yeti, is the recently discovered APT campaign that targeted energy companies, manufacturers, industrial, pharmaceutical, construction and many IT companies.

Security experts have analyzed the Energetic Bear APT campaign, which appear to be a long-term operation which targeted companies in several countries, Kaspersky Lab Team, for example, published a report which details the attack chain and control infrastructure used by bad actors.

The Energetic Bear APT campaign is mainly focused on cyber espionage, the bad actors used malware based attacks to syphon sensitive information from targeted organizations.

The company has identified nearly 2800 victims worldwide, the attackers used a large network of hacked websites (219 domains) as command and control infrastructure, the majority of these websites were legitimate and were used to serve malware and instruct bot agents worldwide to collect information on targeted systems. Most of the 2,800 companies identified as victims of the attack are in the industrial/machinery market and researchers say the most-targeted countries are the United States, Spain, Japan and Germany. The bad actor behind Energetic Bear APT campaign used to compromise poorly configured servers to server RAT.

” They ran vulnerable content management systems or vulnerable web applications. None of the exploits used to compromise the servers were known to be zero-day. None of the client side exploits re-used from the open source metasploit framework were zero-day.” reports the report published by Kaspersky Lab.

Energetic Bear APT campaign Kaspersky

The attackers used the following attack schema to infect victims:

Experts at Kaspersky have identified 219 unique domain names for these C&C servers hosted in 21 different countries, the majority of C&C servers was located in the US (81 servers), Germany (33 servers), the Russian Federation (19 servers) and the United Kingdom (7 servers).

Energetic Bear APT campaign Kaspersky 2

Bad actors behind the Energetic Bear APT campaign several malware which targeted only Windows systems, the toolset adopted has remained stable over time according to Kaspersky experts:
• Havex Trojan
• Sysmain Trojan
• The ClientX backdoor
• Karagany backdoor and related stealers
• Lateral movement and second stage tools

The experts speculated that the cyber espionage campaign began as early as 2010, despite active infections have fallen by about 50 percent since the beginning of 2014 according to the data provided by Kaspersky.


Energetic Bear APT campaign Kaspersky 3

The bad actors behind the  Energetic Bear APT campaign are highly determined and focused on a very specific industrial sector of vital interest, the hackers which are operating the Energetic Bear APT campaign are most active during the week, a circumstance that suggests to me that they could be state-sponsored hackers.

“Compared to our other APT research the available data is more non-specific than usual. There simply is no one piece or set of data that would lead to the conclusion that the threat actor is Bear, Kitten, Panda, Salmon, or otherwise,” states the report.

The attribution of the Energetic Bear APT campaign is very difficult, no strain of malware is definitively linked to the modus operandi of any know APT … stay tuned for more details and read the report for further data on the cyber espionage campaign.

Pierluigi Paganini

Security Affairs –  (Energetic Bear, APT)