Energetic Bear Crouching Yeti

Kaspersky Labs report on Energetic Bear/Crouching Yeti

Target: Various Sectors across several countries

Attack Vector: Wateringhole attack

Summary: Kaspersky released details of an attributed phishing campaign seeking to infect various servers to Energetic Bear (also known as Crouching Yeti). This follows recent public US and UK advisories on Russian APT activity.

The activity, dating back to 2010, has affected manufacturing, health, construction, education and technology sectors in at least 7 countries. Kaspersky’s report gives an overview of the threat vector, which uses a watering hole attack followed by stages of reconnaissance and network intrusion. The aim of the group’s activity is varied. There is evidence to suggest the compromised machines were part of a staging phase for further malicious activity and given some of the industries targeted, other compromises are likely to be motivated by cyberespionage.

Risk assessment summary: Although the campaign is basic in terms of tools, it has been effective. Energetic Bear are a highly capable and skilled group, but the campaign outlined by Kaspersky does little to demonstrate their technical skill.

It is likely that the large majority of compromised servers were leveraged for the purposes of multi-faceted attacks, seen in the spam components of the two dropped .php files. The compromises would provide some anonymity to a subsequent spam campaign, for example. The impact to business is therefore moderate, although this is highly dependent on the server compromised.

Using low attribution, open source tools, the actors have demonstrated an attack which could be leveraged by many other, less skilled actors. This trend is highly likely to become more apparent in the mid to long-term, with Energetic Bear among the first state-sponsored actors to be attributed to such attacks.