{"id":3748,"date":"2015-03-27T19:55:58","date_gmt":"2015-03-27T19:55:58","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=3748"},"modified":"2020-02-26T11:00:53","modified_gmt":"2020-02-26T16:00:53","slug":"still-around-energetic-bearcrouching-yeti-apt-is-not-going-away","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/still-around-energetic-bearcrouching-yeti-apt-is-not-going-away\/3748\/","title":{"rendered":"Still around: Energetic Bear\/Crouching Yeti APT is not going away"},"content":{"rendered":"<p>Crouching Yeti, last year\u2019s widely publicized APT campaign, is apparently <a href=\"https:\/\/securelist.com\/blog\/research\/69293\/yeti-still-crouching-in-the-forest\/\" target=\"_blank\" rel=\"noopener\">still active<\/a>, although the operator might have switched infrastructure, techniques, and targets. Who might be the next victims be?<\/p>\n<p>First, a\u00a0refresher on what Crouching Yet is: Originally called \u201cEnergetic Bear\u201d, it was first reported in 2014 as a <a href=\"https:\/\/business.kaspersky.com\/crouching-yeti-got-caught-anyway\/2309\" target=\"_blank\" rel=\"noopener nofollow\">long-standing APT campaign<\/a>, with its operator\u2019s clearly pronounced interest in the energy sector worldwide.<\/p>\n<p>After further research, Kaspersky Lab identified that the attackers are also interested in industrial and machinery sectors, manufacturing, pharmaceutical and construction companies, education facilities and, of course, organizations related to information technology. So \u201cEnergetic Bear\u201d became less relevant, and Kaspersky Lab gave it a new name: <a href=\"https:\/\/securelist.com\/blog\/research\/65240\/energetic-bear-more-like-a-crouching-yeti\/\" target=\"_blank\" rel=\"noopener\">\u201cCrouching Yeti\u201d<\/a>.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>Still around: #Energetic Bear\/#Crouching Yeti #APT is not going away<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FsHj4&amp;text=Still+around%3A+%23Energetic+Bear%2F%23Crouching+Yeti+%23APT+is+not+going+away\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p><strong>Origin<\/strong><\/p>\n<p>Although artifacts in the associated malware code suggest Russian-speaking authors, the language is the only attribution factor that has been available from the start, and it still is. It also has seven C2 servers located in Russia, but almost five times as many\u00a0located in the U.S.<\/p>\n<p><strong>Current status<\/strong><\/p>\n<p>\u2026is \u201cActive, but\u2026\u201d<\/p>\n<p>So far, 69 C2 servers with unique domains have been monitored by Kaspersky Lab. These are receiving hits from 3,699 victims (judging by the unique IDs of the Trojan\/backdoor). Not much on a global scale, but apparently these are the companies with huge security flaws \u2013 otherwise the malware would have been cleared already.<\/p>\n<p>Since the original report last year, four additional C2s have been detected (65 in the previous report).<\/p>\n<p>The top five C2 servers share most of the unique victims, and recent data shows that the number of infections have gone\u00a0down. Apparently, this is due to the increased attention from the security vendors and targeted businesses.<\/p>\n<p>\u201c\u2026the data analyzed during this period show us that Crouching Yeti\u2019s impact continues to increase in terms of infected victims reporting to the C2s, although internal data from KSN shows a different picture (residual number of infections). In this update, we did not see relevant changes in the infrastructure or in the C2 activity\u201d, reads the Kaspersky Lab\u2019s report published at Securelist. For detailed data please <a href=\"https:\/\/securelist.com\/blog\/research\/69293\/yeti-still-crouching-in-the-forest\/\" target=\"_blank\" rel=\"noopener\">take a look here<\/a>.<\/p>\n<p><strong>Still crouching<\/strong><\/p>\n<p>The Securelist report says the impace continues to increase, but this\u00a0is likely because the operators have already switched infrastructure, techniques, and targets.<\/p>\n<p>It\u2019s strange to expect that a cyberespionage campaign of Crouching Yeti\u2019s scope would have\u00a0folded-n-bolted after getting discovered. On the other hand, discovery complicates things for the attackers \u2013 they are no longer as stealthy as they would like to be. So they need other ways to continue their activities.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>Crouching Yeti seems to be changing stance #security<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FsHj4&amp;text=Crouching+Yeti+seems+to+be+changing+stance+%23security+\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>Overall, Yeti seems to be stalling somewhat. It\u2019s highly likely that\u00a0it is being\u00a0reformatted now \u2013 just like the\u00a0Red October APT that eventually <a href=\"https:\/\/business.kaspersky.com\/partly-cloudy-october-a-spiritual-successor-to-redoctober-apt-revealed\/3428\" target=\"_blank\" rel=\"noopener nofollow\">transformed into the Cloud Atlas campaign<\/a>.\u00a0We will most likely hear from\u00a0this campaign again, but under a different name.<\/p>\n<p>Who is going to be its next victims? \u201cAnyone\u201d is the pessimistic and somewhat incorrect\u00a0answer. More accurately it is \u201cAnyone with an insufficient data security policy and weak defenses\u201d.<\/p>\n<p>The area of activity is actually not as\u00a0important here. After all, Crouching Yeti <a href=\"http:\/\/apt.securelist.com\/\" target=\"_blank\" rel=\"noopener\">isn\u2019t the only APT<\/a> around.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Crouching Yeti, last year\u2019s widely publicized APT campaign, is apparently still active, although the operator might have switched infrastructure, techniques, and targets.<\/p>\n","protected":false},"author":209,"featured_media":15502,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[499,2140],"class_list":{"0":"post-3748","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-apt","10":"tag-crouching-yeti"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/still-around-energetic-bearcrouching-yeti-apt-is-not-going-away\/3748\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/still-around-energetic-bearcrouching-yeti-apt-is-not-going-away\/3748\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/still-around-energetic-bearcrouching-yeti-apt-is-not-going-away\/3748\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/apt\/","name":"APT"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/3748","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=3748"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/3748\/revisions"}],"predecessor-version":[{"id":33489,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/3748\/revisions\/33489"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15502"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=3748"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=3748"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=3748"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}