The profilic cyberspying operation known as Energetic Bear and DragonFly has been busy the past few months and the closer researchers dig into its operations, the bigger and more expansive its reach appears.
Kaspersky Lab today published an in-depth report on the attack campaign, which the firm says has infected more than 2,800 known victims around the globe, including 101 organizations it could identify, mainly in the US, Spain, Japan, Germany, France, Italy, Turkey, Ireland, Portland, and China. The attacks have been detected hitting not only industrial/machinery and manufacturing firms, but pharmaceutical, construction, education, and IT firms as well.
Meanwhile, Kaspersky named the campaign Energetic Yeti because its researchers say they can't confirm the attackers are Russian. While researchers at F-Secure concluded the attacking group is Russian, Kaspersky researchers say it's unclear. The researchers say they found clues of French and Swedish-speaking players, for instance. "The Energetic Bear was the initial name given to this campaign by Crowd Strike according to their nomenclature. The Bear goes for attribution, and Crowd Strike believes this campaign has a Russian origin. Kaspersky Lab is still investigating all existing leads; however, at the moment there are no strong points in either direction," says Nicolas Brulez, principal security researcher at Kaspersky Lab.
F-Secure and Symantec recently had spotted the attackers targeting mainly energy and some manufacturing firms with the so-called Havex Trojan, and Symantec as far back as March saw the group shifting its focus onto energy firms, with half of the targets in energy and 30% in energy control systems.
Sean Sullivan, a security adviser at F-Secure in an interview with Dark Reading last month said the attack campaign was not pure espionage: "From what I've seen, it looks to me like they want a broad range of targets. The espionage going on here seems to be a wide net for any sort of infrastructure that might give the ability to get your way politically... That fits in with what I know of Russian [attacker] tactics."
Kaspersky's report, meanwhile, also notes that the attackers use mainly the Havex Trojan, and there are at least 27 different versions of it, including modules that target industrial control systems. Spear-phishing and waterholing attacks are the initial infection vector as well as compromised SCADA software updates, which F-Secure and Symantec reported last month.
"Thanks to the monitoring of several of the C&C domains used by the group, we were able to identify several victims. This victim list reinforces the interests shown by the Crouching Yeti actor in strategic targets, but also shows the interest of the group in many other not-so-obvious institutions. We believe they might be collateral victims, or maybe it would be fair to redefine the Crouching Yeti actor not only as a highly targeted one in a very specific area of interest, but a broad surveillance campaign with interests in different sectors," Kaspersky's report says.