The well-known Russian-speaking advanced persistent threat (APT) group Crouching Yeti, has long been targeting servers worldwide. But today Kaspersky Lab announced it has uncovered infrastructure used by the group, also known as Energetic Bear.
Since 2010, Kaspersky Lab has been tracking the APT group renowned for targeting energy facilities across the globe. The goal of the group has been to gain access to valuable data from victim systems, which they've done successfully most often by using watering hole attacks, where the attackers injected websites with a link redirecting visitors to a malicious server.
Multiple servers outside of the industrial sector from organizations in Russia, the US, Turkey and European countries had been compromised in 2016 and 2017 and used as intermediaries to conduct attacks on other resources.
"In the process of analyzing infected servers, researchers identified numerous websites and servers used by organizations in Russia, U.S., Europe, Asia and Latin America that the attackers had scanned with various tools, possibly to find a server that could be used to establish a foothold for hosting the attackers’ tools and to subsequently develop an attack. Some of the sites scanned may have been of interest to the attackers as candidates for waterhole," Kaspersky Lab wrote in a press release.
Intruders scanned a wide range of websites and servers, using publicly available tools for analyzing servers, and researchers also discovered a modified sshd file with a preinstalled backdoor that was used to replace the original file and then authorized with a master password.
“Crouching Yeti is a notorious Russian-speaking group that has been active for many years and is still successfully targeting industrial organizations through watering hole attacks, among other techniques. Our findings show that the group compromised servers not only for establishing watering holes but also for further scanning, and they actively used open-sourced tools that made it much harder to identify them afterwards,” said Vladimir Dashchenko, head of vulnerability research group Kaspersky Lab ICS CERT.
“The group’s activities, such as initial data collection, the theft of authentication data and the scanning of resources, are used to launch further attacks. The diversity of infected servers and scanned resources suggests the group may operate in the interests of the third parties,” Dashchenko added.
More details on this recent Crouching Yeti activity can be found on the Kaspersky Lab ICS CERT website.