Attacks/Breaches
7/31/2014
06:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'Energetic' Bear Under The Microscope

Kaspersky Lab report finds more industries hit by the infamous cyber espionage campaign -- and evidence pointing to French and Swedish-speaking attackers as well as Eastern European ones.

The profilic cyberspying operation known as Energetic Bear and DragonFly has been busy the past few months and the closer researchers dig into its operations, the bigger and more expansive its reach appears.

Kaspersky Lab today published an in-depth report on the attack campaign, which the firm says has infected more than 2,800 known victims around the globe, including 101 organizations it could identify, mainly in the US, Spain, Japan, Germany, France, Italy, Turkey, Ireland, Portland, and China. The attacks have been detected hitting not only industrial/machinery and manufacturing firms, but pharmaceutical, construction, education, and IT firms as well.

Meanwhile, Kaspersky named the campaign Energetic Yeti because its researchers say they can't confirm the attackers are Russian. While researchers at F-Secure concluded the attacking group is Russian, Kaspersky researchers say it's unclear. The researchers say they found clues of French and Swedish-speaking players, for instance. "The Energetic Bear was the initial name given to this campaign by Crowd Strike according to their nomenclature. The Bear goes for attribution, and Crowd Strike believes this campaign has a Russian origin. Kaspersky Lab is still investigating all existing leads; however, at the moment there are no strong points in either direction," says Nicolas Brulez, principal security researcher at Kaspersky Lab.

F-Secure and Symantec recently had spotted the attackers targeting mainly energy and some manufacturing firms with the so-called Havex Trojan, and Symantec as far back as March saw the group shifting its focus onto energy firms, with half of the targets in energy and 30% in energy control systems.

Sean Sullivan, a security adviser at F-Secure in an interview with Dark Reading last month said the attack campaign was not pure espionage: "From what I've seen, it looks to me like they want a broad range of targets. The espionage going on here seems to be a wide net for any sort of infrastructure that might give the ability to get your way politically... That fits in with what I know of Russian [attacker] tactics."

Kaspersky's report, meanwhile, also notes that the attackers use mainly the Havex Trojan, and there are at least 27 different versions of it, including modules that target industrial control systems. Spear-phishing and waterholing attacks are the initial infection vector as well as compromised SCADA software updates, which F-Secure and Symantec reported last month.

"Thanks to the monitoring of several of the C&C domains used by the group, we were able to identify several victims. This victim list reinforces the interests shown by the Crouching Yeti actor in strategic targets, but also shows the interest of the group in many other not-so-obvious institutions. We believe they might be collateral victims, or maybe it would be fair to redefine the Crouching Yeti actor not only as a highly targeted one in a very specific area of interest, but a broad surveillance campaign with interests in different sectors," Kaspersky's report says.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BoatnerB
50%
50%
BoatnerB,
User Rank: Author
8/1/2014 | 10:22:52 AM
Interesting piece
Interesting reading, Kelly!
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
8/1/2014 | 9:26:33 AM
Re: state-sponsored hacking
Dear Kelly,

I suspect that they have used them, but we are not able to detect any similar intrusion due to the difficulties to track high sophisticated APT (e.g. State-sponsored malware).

Anyway, as you have remarked, it is worrying that the bad actors succeeded also exploiting poorly configured servers.

Thanks
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/1/2014 | 9:19:50 AM
Re: state-sponsored hacking
Appparently, they really didn't need 0days, which is sad but reality.
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
8/1/2014 | 9:01:20 AM
Re: state-sponsored hacking
yes Kelly you are right ... comments in the code, as explained by other security firms, seems indicate that hackers have Russian origin. I believe it is very strange that no zero-day exploits were used in the campaign, I believe that there are a lot of details still uncovered.

 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/1/2014 | 7:54:22 AM
Re: state-sponsored hacking
State-sponsored is definitely the assumption on this campaign. It's interesting that Kaspersky Lab is saying they can't confirm it's Russian-based. CrowdStrike and F-Secure have indicated it's out of Russia. But attribution can be tricky, as we've seen.
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
8/1/2014 | 6:25:07 AM
state-sponsored hacking
Despite the attribution is very difficult and the bad actors behind the campaign haven't used any sophisticated strain of malware, I believe that the APT has a state-sponsored origin.

Statistics on working time, dimension of the architecture and targeted industries suggest me that we are facing with a cyber espionage campaign arranged by a government ... and probably this is just the tip of the iceberg.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2942
Published: 2014-09-22
Cobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.

CVE-2014-5522
Published: 2014-09-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6025. Reason: This candidate is a reservation duplicate of CVE-2014-6025. Notes: All CVE users should reference CVE-2014-6025 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-5523
Published: 2014-09-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5524. Reason: This candidate is a duplicate of CVE-2014-5524. Notes: All CVE users should reference CVE-2014-5524 instead of this candidate. All references and descriptions in this candidate have been removed to prevent acciden...

CVE-2014-5575
Published: 2014-09-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

CVE-2014-5665
Published: 2014-09-22
The Mzone Login (aka com.mr384.MzoneLogin) application 1.2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio