APT Group Targets Servers on Global Basis

Monday, April 23, 2018 @ 01:04 PM gHale

The infrastructure used by the well-known Russian-speaking APT group Crouching Yeti, or Energetic Bear, includes compromised servers across the world, researchers said.

Countless servers in different countries were hit since 2016, sometimes in order to gain access to other resources, said researchers at Kaskpersky Lab. Others, including those hosting Russian websites, were used as watering holes.

Android Backdoor Tied to North Korea
Android Security Fixes for April
Android Virus Steals Messages
Android Clears Critical, High Risk Holes

Crouching Yeti, a Russian-speaking advanced persistent threat (APT) group Kaspersky Lab has been tracking since 2010, is best known for targeting industrial sectors around the world, with a primary focus on energy facilities so they can steal valuable data.

One of the techniques the group has been widely using is through watering hole attacks where the attackers injected websites with a link redirecting visitors to a malicious server.

Researchers found servers compromised by the group belonging to different organizations based in Russia, the U.S., Turkey and European countries. These servers were hit in 2016 and 2017 with different purposes in mind, the researchers said. In addition to watering holes, in some cases they were used as intermediaries to conduct attacks on other resources.

In the process of analyzing infected servers, researchers found websites and servers used by organizations in Russia, U.S., Europe, Asia and Latin America the attackers had scanned with various tools, possibly to find a server that could be used to establish a foothold for hosting the attackers’ tools and to subsequently develop an attack.

“Crouching Yeti is a notorious Russian-speaking group that has been active for many years and is still successfully targeting industrial organizations through watering hole attacks, among other techniques. Our findings show that the group compromised servers not only for establishing watering holes, but also for further scanning, and they actively used open-sourced tools that made it much harder to identify them afterwards,” said Vladimir Dashchenko, head of vulnerability research group, Kaspersky Lab ICS CERT.

“The group’s activities, such as initial data collection, the theft of authentication data and the scanning of resources, are used to launch further attacks,” Dashchenko said. The diversity of infected servers and scanned resources suggests the group may operate in the interests of the third parties.”

Click here for more details on Crouching Yeti.

Leave a Reply

You must be logged in to post a comment.