Kaspersky Lab's Chief Security Researcher Nicolas Brulez this threat-related, said: "Energetic Bear, Crowd Strike by their terminology according to this campaign, the first name was. Crowd Strike the campaign of Russian origin, believes., Kaspersky Lab, is still present all the clues are investigating, but currently on both sides a strong conclusion could not be reached. Additionally our analysis, aggressive global focus electricity producers is much wider suggest that,. based on these data, these cases a new naming decided to: a bear evocative and mysterious origin, a Yeti ".
Threatens many different sectorsEnergetic Bear / Crouching Yeti, a large number of advanced persistent threat (APT) was included in the campaign. According to Kaspersky Lab's research of the victims, a much wider range than previously thought seems to be businesses. Victims in large industrial / machinery, manufacturing, pharmaceutical, construction, education and information technology sectors.
Known total number of victims worldwide more than 2,800. Among them, Kaspersky Lab researchers have succeeded in defining the organization's 101. This is a list of victims, Crouching could put up interest in the Yeti's strategic objectives at the same time a large number of mostly unknown by some groups in other institutions interested in the show. Kaspersky Lab's experts, these groups of secondary victims might be, but still Crouching Yeti only fairly in a certain area level with goals as a campaign, but also in different sectors in the interests of a broad campaign that the re-identification of the sense might be to believe.
Organizations often attacked the United States, Spain and Japan, while Germany, France, Italy, Turkey, Ireland, Poland and China also became victims. Given the nature of the known victims of the attacks of the main effects of highly sensitive information such as trade secrets and technical information that was seen to emerge.
Crouching Yeti is a sophisticated campaign hard to say. For example, attackers exploit software logs commonly found on the Internet instead of using codes for their exploits have been seen. Nevertheless, the situation of the campaign to remain under the radar for several years did not prevent.
Kaspersky Lab researchers have been violated by attackers to collect valuable information from systems
malware used five have found evidence that:
Havex trojani
NEW DOMAIN trojan sys
ClientX back door
Karagany relationship back door and stole software
Movement means and the second stage channel
The most commonly used tools, Havex Trojan was new. Kaspersky Lab researchers that a total of 27 different versions of malicious programs, and industrial control systems, including data collection tools for a variety of additional
discovered that the modules. Kaspersky Lab products, all used in this campaign malware is detected and eliminates derivatives.
Crouchingyet Havex and other malicious software that is used by vehicles, command and control, to a large network of hacked website is connecting. These sites contain information about victims and additional malware
modules with service gives commands to infected systems. In the present Havex Trojanı the attacker to collect and publish data from certain industrial IT environment that enables very special to have two modules
are known.
The origin of the mysterious
Kaspersky Lab researchers, the culprit behind this campaign will be able to sign national origin has been observed that some meta-features. In particular, the file timestamp of 154 samples were analyzed and compiled many of 06:00 and 16:00 UTC have concluded. This, as well as in Eastern Europe can point to any country in Europe.
Experts also the language of the actors were also analyzed. The strings in the malware analysis (native
Written by non-English) English. Unlike many researchers have analyzed this campaign Kaspersky Lab's experts, as well as the actor of Russian origin could not reach a definitive conclusion. Nearly 200 pieces of malicious binaries and related operational content in all Kaspersky Lab's Red October, Miniduk A, Cosmicduk of Snake and teamspy research studies documenting the finding that, unlike Cyrillic content (or translated) deficiency is present. In addition, French and Swedish spoken clues that were found.
Crouching Yeti still active cyber espionage campaign targets in Turkey are in! Adlı Konuda 0 yorum