Kaspersky uncovers Crouching Yeti's infrastructure

Read time 2min 10sec
Crouching Yeti has been active for many years.
Crouching Yeti has been active for many years.

Kaspersky Lab has uncovered infrastructure used by the notorious Russian-speaking advanced persistent threat (APT) group Crouching Yeti, which it has been tracking since 2010.

Also known as Energetic Bear, Crouching Yeti is famous for targeting industrial sectors around the world with a primary focus on energy facilities. Its aim is to steal valuable data from its targets.

Watering hole attacks

According to Kaspersky Lab researchers, the APT has affected numerous servers in several different countries since 2016. Sometimes it is used as a stepping stone to other resources. At other times it employs various techniques, including watering hole attacks, in which the threat actors inject a link to a malicious server into legitimate Web sites.

The security giant recently discovered several servers that were compromised by the group and belonged to a variety of entities based in Russia, the US, Turkey and Europe. These were not limited to industrial companies.

Vladimir Dashchenko, head of the Vulnerability Research Group at Kaspersky Lab ICS CERT, says Crouching Yeti has been active for many years and is still successfully targeting industrial organisations.

"Our findings show that the group compromised servers not only for establishing watering holes, but also for further scanning, and they actively used open-source tools that made it much harder to identify them afterwards."

He says the APT's activities, including initial data collection, theft of authentication data, and scanning of resources, are used to launch further attacks.

"The diversity of infected servers and scanned resources suggests the group may operate in the interests of the third parties," he added.

Publicly available tools

The group used publicly available malicious tools designed for analysing servers and for seeking out and collecting information, he adds. In addition, a modified sshd file with a pre-installed backdoor was discovered, which was used to replace the original file and could be authorised with a 'master password'. Sshd is the OpenSSH server process that listens to incoming connections, and uses SSH protocol to act as the server for the protocol.

Kaspersky Lab advises businesses to implement a comprehensive framework against advanced threats comprising dedicated security solutions for targeted attack detection and incident response, along with expert services and threat intelligence.

Login with