Attacks/Breaches
7/31/2014
06:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'Energetic' Bear Under The Microscope

Kaspersky Lab report finds more industries hit by the infamous cyber espionage campaign -- and evidence pointing to French and Swedish-speaking attackers as well as Eastern European ones.

The profilic cyberspying operation known as Energetic Bear and DragonFly has been busy the past few months and the closer researchers dig into its operations, the bigger and more expansive its reach appears.

Kaspersky Lab today published an in-depth report on the attack campaign, which the firm says has infected more than 2,800 known victims around the globe, including 101 organizations it could identify, mainly in the US, Spain, Japan, Germany, France, Italy, Turkey, Ireland, Portland, and China. The attacks have been detected hitting not only industrial/machinery and manufacturing firms, but pharmaceutical, construction, education, and IT firms as well.

Meanwhile, Kaspersky named the campaign Energetic Yeti because its researchers say they can't confirm the attackers are Russian. While researchers at F-Secure concluded the attacking group is Russian, Kaspersky researchers say it's unclear. The researchers say they found clues of French and Swedish-speaking players, for instance. "The Energetic Bear was the initial name given to this campaign by Crowd Strike according to their nomenclature. The Bear goes for attribution, and Crowd Strike believes this campaign has a Russian origin. Kaspersky Lab is still investigating all existing leads; however, at the moment there are no strong points in either direction," says Nicolas Brulez, principal security researcher at Kaspersky Lab.

F-Secure and Symantec recently had spotted the attackers targeting mainly energy and some manufacturing firms with the so-called Havex Trojan, and Symantec as far back as March saw the group shifting its focus onto energy firms, with half of the targets in energy and 30% in energy control systems.

Sean Sullivan, a security adviser at F-Secure in an interview with Dark Reading last month said the attack campaign was not pure espionage: "From what I've seen, it looks to me like they want a broad range of targets. The espionage going on here seems to be a wide net for any sort of infrastructure that might give the ability to get your way politically... That fits in with what I know of Russian [attacker] tactics."

Kaspersky's report, meanwhile, also notes that the attackers use mainly the Havex Trojan, and there are at least 27 different versions of it, including modules that target industrial control systems. Spear-phishing and waterholing attacks are the initial infection vector as well as compromised SCADA software updates, which F-Secure and Symantec reported last month.

"Thanks to the monitoring of several of the C&C domains used by the group, we were able to identify several victims. This victim list reinforces the interests shown by the Crouching Yeti actor in strategic targets, but also shows the interest of the group in many other not-so-obvious institutions. We believe they might be collateral victims, or maybe it would be fair to redefine the Crouching Yeti actor not only as a highly targeted one in a very specific area of interest, but a broad surveillance campaign with interests in different sectors," Kaspersky's report says.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BoatnerB
50%
50%
BoatnerB,
User Rank: Author
8/1/2014 | 10:22:52 AM
Interesting piece
Interesting reading, Kelly!
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
8/1/2014 | 9:26:33 AM
Re: state-sponsored hacking
Dear Kelly,

I suspect that they have used them, but we are not able to detect any similar intrusion due to the difficulties to track high sophisticated APT (e.g. State-sponsored malware).

Anyway, as you have remarked, it is worrying that the bad actors succeeded also exploiting poorly configured servers.

Thanks
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/1/2014 | 9:19:50 AM
Re: state-sponsored hacking
Appparently, they really didn't need 0days, which is sad but reality.
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
8/1/2014 | 9:01:20 AM
Re: state-sponsored hacking
yes Kelly you are right ... comments in the code, as explained by other security firms, seems indicate that hackers have Russian origin. I believe it is very strange that no zero-day exploits were used in the campaign, I believe that there are a lot of details still uncovered.

 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/1/2014 | 7:54:22 AM
Re: state-sponsored hacking
State-sponsored is definitely the assumption on this campaign. It's interesting that Kaspersky Lab is saying they can't confirm it's Russian-based. CrowdStrike and F-Secure have indicated it's out of Russia. But attribution can be tricky, as we've seen.
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
8/1/2014 | 6:25:07 AM
state-sponsored hacking
Despite the attribution is very difficult and the bad actors behind the campaign haven't used any sophisticated strain of malware, I believe that the APT has a state-sponsored origin.

Statistics on working time, dimension of the architecture and targeted industries suggest me that we are facing with a cyber espionage campaign arranged by a government ... and probably this is just the tip of the iceberg.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.