An unidentified threat group has compromised approximately 2,800 victims from various sectors around the world in an information stealing campaign that dates back to the end of 2010, according to a Kaspersky Lab Global Research & Analysis Team report.
Security firm CrowdStrike had identified the campaign as "Energetic Bear" in January because the energy sector seemed to be the prime target, but Kaspersky renamed it "Crouching Yeti" since the manufacturing, pharmaceutical, construction, education, information technology, and, most of all, the industrial and machinery sectors are also being targeted.
The stealthy Crouching Yeti team typically infects targets using trojanized software installers, waterhole attacks that take advantage of an assortment of exploits, and PDF documents embedded with Flash exploit CVE-2011-0611 that are attached to spearphishing emails.
With 27 different version identified, the Havex trojan has been used most by the attackers to infect victims; however, they also rely on the Sysmain trojan, as well as the ClientX backdoor and the Karagany backdoor, according to the report.
“This particular actor is out of the ordinary, from their victim set to their offensive toolkit,” Kurt Baumgartner, principal security researcher at Kaspersky Lab, told SCMagazine.com in a Friday email correspondence, adding that the attackers have left no hints behind as to their true identities.
“They consistently re-use compromised, legitimate websites to host their exploit sites and redirectors to their exploit sites,” Baumgartner said. “The exploits delivered are not only commodity stuff; they are slightly modified, re-used Metasploit open source code.”
The researchers with Kaspersky Lab are not entirely sure what the Crouching Yeti team plans to do with the compromised information, which was stolen with public key encryption – something that Baumgartner said he found unusual.
The United States, Spain, Japan, Germany, France, Italy, Turkey, Ireland, Poland and China are the most targeted countries in the campaign, according to the report.