About 2,800 victims of worldwide info-stealing campaign targeting various sectors

Share this article:
Chinese hackers breach 50 U.S. gov't contractors' systems in one year
The attackers are still unknown because they have left no hints behind as to their true identities.

An unidentified threat group has compromised approximately 2,800 victims from various sectors around the world in an information stealing campaign that dates back to the end of 2010, according to a Kaspersky Lab Global Research & Analysis Team report.

Security firm CrowdStrike had identified the campaign as "Energetic Bear" in January because the energy sector seemed to be the prime target, but Kaspersky renamed it "Crouching Yeti" since the manufacturing, pharmaceutical, construction, education, information technology, and, most of all, the industrial and machinery sectors are also being targeted.

The stealthy Crouching Yeti team typically infects targets using trojanized software installers, waterhole attacks that take advantage of an assortment of exploits, and PDF documents embedded with Flash exploit CVE-2011-0611 that are attached to spearphishing emails.

With 27 different version identified, the Havex trojan has been used most by the attackers to infect victims; however, they also rely on the Sysmain trojan, as well as the ClientX backdoor and the Karagany backdoor, according to the report.

“This particular actor is out of the ordinary, from their victim set to their offensive toolkit,” Kurt Baumgartner, principal security researcher at Kaspersky Lab, told SCMagazine.com in a Friday email correspondence, adding that the attackers have left no hints behind as to their true identities.

“They consistently re-use compromised, legitimate websites to host their exploit sites and redirectors to their exploit sites,” Baumgartner said. “The exploits delivered are not only commodity stuff; they are slightly modified, re-used Metasploit open source code.”

The researchers with Kaspersky Lab are not entirely sure what the Crouching Yeti team plans to do with the compromised information, which was stolen with public key encryption – something that Baumgartner said he found unusual.

The United States, Spain, Japan, Germany, France, Italy, Turkey, Ireland, Poland and China are the most targeted countries in the campaign, according to the report.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

FilmOn accuses DoubleVerify of distributing malware

In readying a libel suit against DoubleVerify, FilmOn says it discovered that the firm deliberately distributed malware.

Schumer: Feds should do 'top to bottom' probe of online drug marketplaces

Sen. Charles Schumer of New York has called on federal law enforcement officials to stop "copy cat websites."

ShellShock vulnerability exploited in SMTP servers

Researchers at Trend Micro found that attackers were targeting Simple Mail Transfer Protocol (SMTP) servers to execute malicious code and an IRC bot.