Attacks/Breaches

7/31/2014
06:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'Energetic' Bear Under The Microscope

Kaspersky Lab report finds more industries hit by the infamous cyber espionage campaign -- and evidence pointing to French and Swedish-speaking attackers as well as Eastern European ones.

The profilic cyberspying operation known as Energetic Bear and DragonFly has been busy the past few months and the closer researchers dig into its operations, the bigger and more expansive its reach appears.

Kaspersky Lab today published an in-depth report on the attack campaign, which the firm says has infected more than 2,800 known victims around the globe, including 101 organizations it could identify, mainly in the US, Spain, Japan, Germany, France, Italy, Turkey, Ireland, Portland, and China. The attacks have been detected hitting not only industrial/machinery and manufacturing firms, but pharmaceutical, construction, education, and IT firms as well.

Meanwhile, Kaspersky named the campaign Energetic Yeti because its researchers say they can't confirm the attackers are Russian. While researchers at F-Secure concluded the attacking group is Russian, Kaspersky researchers say it's unclear. The researchers say they found clues of French and Swedish-speaking players, for instance. "The Energetic Bear was the initial name given to this campaign by Crowd Strike according to their nomenclature. The Bear goes for attribution, and Crowd Strike believes this campaign has a Russian origin. Kaspersky Lab is still investigating all existing leads; however, at the moment there are no strong points in either direction," says Nicolas Brulez, principal security researcher at Kaspersky Lab.

F-Secure and Symantec recently had spotted the attackers targeting mainly energy and some manufacturing firms with the so-called Havex Trojan, and Symantec as far back as March saw the group shifting its focus onto energy firms, with half of the targets in energy and 30% in energy control systems.

Sean Sullivan, a security adviser at F-Secure in an interview with Dark Reading last month said the attack campaign was not pure espionage: "From what I've seen, it looks to me like they want a broad range of targets. The espionage going on here seems to be a wide net for any sort of infrastructure that might give the ability to get your way politically... That fits in with what I know of Russian [attacker] tactics."

Kaspersky's report, meanwhile, also notes that the attackers use mainly the Havex Trojan, and there are at least 27 different versions of it, including modules that target industrial control systems. Spear-phishing and waterholing attacks are the initial infection vector as well as compromised SCADA software updates, which F-Secure and Symantec reported last month.

"Thanks to the monitoring of several of the C&C domains used by the group, we were able to identify several victims. This victim list reinforces the interests shown by the Crouching Yeti actor in strategic targets, but also shows the interest of the group in many other not-so-obvious institutions. We believe they might be collateral victims, or maybe it would be fair to redefine the Crouching Yeti actor not only as a highly targeted one in a very specific area of interest, but a broad surveillance campaign with interests in different sectors," Kaspersky's report says.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BoatnerB
50%
50%
BoatnerB,
User Rank: Author
8/1/2014 | 10:22:52 AM
Interesting piece
Interesting reading, Kelly!
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
8/1/2014 | 9:26:33 AM
Re: state-sponsored hacking
Dear Kelly,

I suspect that they have used them, but we are not able to detect any similar intrusion due to the difficulties to track high sophisticated APT (e.g. State-sponsored malware).

Anyway, as you have remarked, it is worrying that the bad actors succeeded also exploiting poorly configured servers.

Thanks
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/1/2014 | 9:19:50 AM
Re: state-sponsored hacking
Appparently, they really didn't need 0days, which is sad but reality.
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
8/1/2014 | 9:01:20 AM
Re: state-sponsored hacking
yes Kelly you are right ... comments in the code, as explained by other security firms, seems indicate that hackers have Russian origin. I believe it is very strange that no zero-day exploits were used in the campaign, I believe that there are a lot of details still uncovered.

 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/1/2014 | 7:54:22 AM
Re: state-sponsored hacking
State-sponsored is definitely the assumption on this campaign. It's interesting that Kaspersky Lab is saying they can't confirm it's Russian-based. CrowdStrike and F-Secure have indicated it's out of Russia. But attribution can be tricky, as we've seen.
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
8/1/2014 | 6:25:07 AM
state-sponsored hacking
Despite the attribution is very difficult and the bad actors behind the campaign haven't used any sophisticated strain of malware, I believe that the APT has a state-sponsored origin.

Statistics on working time, dimension of the architecture and targeted industries suggest me that we are facing with a cyber espionage campaign arranged by a government ... and probably this is just the tip of the iceberg.
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Number of Retailers Impacted by Breaches Doubles
Ericka Chickowski, Contributing Writer, Dark Reading,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14492
PUBLISHED: 2018-07-21
Tenda AC7 through V15.03.06.44_CN, AC9 through V15.03.05.19(6318)_CN, and AC10 through V15.03.06.23_CN devices have a Stack-based Buffer Overflow via a long limitSpeed or limitSpeedup parameter to an unspecified /goform URI.
CVE-2018-3770
PUBLISHED: 2018-07-20
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.
CVE-2018-3771
PUBLISHED: 2018-07-20
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser.
CVE-2018-5065
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-5066
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.