Still around: Energetic Bear/Crouching Yeti APT is not going away

Crouching Yeti, last year’s widely publicized APT campaign, is apparently still active, although the operator might have switched infrastructure, techniques, and targets.

Crouching Yeti, last year’s widely publicized APT campaign, is apparently still active, although the operator might have switched infrastructure, techniques, and targets. Who might be the next victims be?

First, a refresher on what Crouching Yet is: Originally called “Energetic Bear”, it was first reported in 2014 as a long-standing APT campaign, with its operator’s clearly pronounced interest in the energy sector worldwide.

After further research, Kaspersky Lab identified that the attackers are also interested in industrial and machinery sectors, manufacturing, pharmaceutical and construction companies, education facilities and, of course, organizations related to information technology. So “Energetic Bear” became less relevant, and Kaspersky Lab gave it a new name: “Crouching Yeti”.

Origin

Although artifacts in the associated malware code suggest Russian-speaking authors, the language is the only attribution factor that has been available from the start, and it still is. It also has seven C2 servers located in Russia, but almost five times as many located in the U.S.

Current status

…is “Active, but…”

So far, 69 C2 servers with unique domains have been monitored by Kaspersky Lab. These are receiving hits from 3,699 victims (judging by the unique IDs of the Trojan/backdoor). Not much on a global scale, but apparently these are the companies with huge security flaws – otherwise the malware would have been cleared already.

Since the original report last year, four additional C2s have been detected (65 in the previous report).

The top five C2 servers share most of the unique victims, and recent data shows that the number of infections have gone down. Apparently, this is due to the increased attention from the security vendors and targeted businesses.

“…the data analyzed during this period show us that Crouching Yeti’s impact continues to increase in terms of infected victims reporting to the C2s, although internal data from KSN shows a different picture (residual number of infections). In this update, we did not see relevant changes in the infrastructure or in the C2 activity”, reads the Kaspersky Lab’s report published at Securelist. For detailed data please take a look here.

Still crouching

The Securelist report says the impace continues to increase, but this is likely because the operators have already switched infrastructure, techniques, and targets.

It’s strange to expect that a cyberespionage campaign of Crouching Yeti’s scope would have folded-n-bolted after getting discovered. On the other hand, discovery complicates things for the attackers – they are no longer as stealthy as they would like to be. So they need other ways to continue their activities.

Overall, Yeti seems to be stalling somewhat. It’s highly likely that it is being reformatted now – just like the Red October APT that eventually transformed into the Cloud Atlas campaign. We will most likely hear from this campaign again, but under a different name.

Who is going to be its next victims? “Anyone” is the pessimistic and somewhat incorrect answer. More accurately it is “Anyone with an insufficient data security policy and weak defenses”.

The area of activity is actually not as important here. After all, Crouching Yeti isn’t the only APT around.

Tips