The Energetic Bear and Crouching Yeti at the Watering Hole

Kaspersky Labs has released another fascinating report on a complex Advanced Persistent Threat (or APT), an extremely dangerous form of malware. An APT is certainly advanced, they typically are complicated systems of several forms of malicious software, and each component tends to be at least as complex and as capable as what we used to think of as an entire threat package. And they’re persistent, this latest one has been around at least since 2010.

Once an APT has become established within an organization, it might lurk there for years silently stealing data and sending it out to C&C (or Command and Control) servers scattered around the world. Those C&C servers themselves are very likely compromised systems, making the APT controller extremely difficult to track down.

Why the wild name for this one?

Crowd Strike dubbed this APT “Energetic Bear” because they believed that it was created in and controlled from Russia, and that its target was the energy industry.

However, Kaspersky has found that its targets are much broader and it doesn’t have the usual signs of being written by Russian programmers. So, a more mysterious creature was in order.

It seems to be targeted at a wide range of corporations involved in machinery building, pharmaceuticals, construction, and even education. Geographically, its victims are spread around the world with the largest numbers by far in the U.S. and Spain.

As for its origins, there were none of the expected signs of Russian programmers. No Cyrillic text, or Russian words transliterated into the Latin/ASCII alphabet. A couple of distinctively Spanish and French terms seemed to be used for variable names, but the narrative and error messages were largely in comically broken English:

Start finging of LAN hosts...
Finding was fault. Unexpective error
Was found %i hosts in LAN:
Hosts was't found.

Learning Tree’s System and Network Security Introduction course gives you a fundamental vocabulary for discussing cybersecurity, the concepts and names for the tools used for both attack and defense. Some of the terms can seem strange at first.

This Crouching Yeti APT uses a watering hole attack to get into a system. The concept is familiar from nature documentaries — animals come to an apparently safe watering hole and are attacked by lurking predators. In this case, the perpetrators have compromised legitimate web sites for manufacturers of industrial equipment including cameras and programmable logic controllers (or PLCs) used in factories. They replaced those companies’ software with versions also including the initial stages of the APT. These loaders then pull in the modules that steal and exfiltrate the valuable data.

These “watering hole attacks” show the unfortunate reality of the Internet: You can be victimized by someone else’s poor housekeeping. A hole in a supplier’s web site or FTP server can be a used to insert malicious code into your organization.

Kaspersky’s overview is here and the detailed report is here. Check it out!

Bob Cromwell

Type to search

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.