Kaspersky Lab Discovers Russian Hacker Infrastructure

russian hacking code

subscribe

NEW YORK -

A hacker collective known for attacking industrial companies around the world have had some of their infrastructure identified by Russian security specialists.

Kaspersky Lab said that it has discovered a number of servers compromised by the group, belonging to different organisations based in Russia, the US, and Turkey, as well as European countries.

The Russian-speaking hackers, known as Crouching Yeti or Energetic Bear, mostly focus on energy facilities, for the main purpose of stealing valuable data from victim systems.

 

Hacked servers

Crouching Yeti is described as an advanced persistent threat (APT) group that Kaspersky Lab has been tracking since 2010.

#google#

Kaspersky Lab said that the servers it has compromised are not just limited to industrial companies. The servers were hit in 2016 and 2017 with different intentions. Some were compromised to gain access to other resources or to be used as intermediaries to conduct attacks on other resources.

Others, including those hosting Russian websites, were used as watering holes.

It is a common tactic for Crouching Yeti to utilise watering hole attacks where the attackers inject websites with a link redirecting visitors to a malicious server.

“In the process of analysing infected servers, researchers identified numerous websites and servers used by organisations in Russia, US, Europe, Asia and Latin America that the attackers had scanned with various tools, possibly to find a server that could be used to establish a foothold for hosting the attackers’ tools and to subsequently develop an attack,” said the security specialists in a blog posting.

“The range of websites and servers that captured the attention of the intruders is extensive,” the firm said. “Kaspersky Lab researchers found that the attackers had scanned numerous websites of different types, including online stores and services, public organisations, NGOs, manufacturing, etc.

Kaspersky Lab said that the hackers used publicly available malicious tools, designed for analysing servers, and for seeking out and collecting information. The researchers also found a modified sshd file with a preinstalled backdoor. This was used to replace the original file and could be authorised with a ‘master password’.

“Crouching Yeti is a notorious Russian-speaking group that has been active for many years and is still successfully targeting industrial organisations through watering hole attacks, among other techniques,” explained Vladimir Dashchenko, head of vulnerability research group at Kaspersky Lab ICS CERT.

 

Russian government?

“Our findings show that the group compromised servers not only for establishing watering holes, but also for further scanning, and they actively used open-sourced tools that made it much harder to identify them afterwards,” he said.

“The group’s activities, such as initial data collection, the theft of authentication data, and the scanning of resources, are used to launch further attacks,” said Dashchenko. “The diversity of infected servers and scanned resources suggests the group may operate in the interests of the third parties.”

This may well tie into a similar conclusion from a rival security vendor.

In 2014 CrowdStrike claimed that the ‘Energetic Bear’ group had been hacking foreign companies on behalf of the Russian state.

The security vendor had said the group had been carrying out attacks on foreign companies since 2012, and there was evidence that these operations were sanctioned by the Russian government.

Last month the United States for the first time publicly accused Russia of hacking attacks against the American power grid.

Symantec meanwhile warned last year of a resurgence in cyber attacks on European and US energy companies, which could result widespread power outages.

And last July the UK’s National Cyber Security Centre (NCSC) acknowledged it was investigating a broad wave of attacks on companies in the British energy and manufacturing sectors.

Related News

trudeau environment

Canada could be electric, connected and clean — if it chooses

TORONTO - So, how do we get there?

We're already on our way.

The final weeks of 2016 delivered some progress, as Prime Minister Justin Trudeau and premiers of 11 of the 13 provinces and territories negotiated a new national climate plan. The deal is a game changer. It marks the moment that Canada stopped arguing about whether to tackle climate change and started figuring out how we're going to get there.

We can each be part of the solution by reducing the amount of energy we use, making sure our homes and workplaces are well insulated and choosing energy…

READ MORE
Yale Report Promotes Western Grid

Yale Report on Western Grid Integration: Just Say Yes

READ MORE

vladimir putin inspects computer terminal

Russian hackers had 'hundreds of victims' as they infiltrated U.S. power grid

READ MORE

russian hackers

Russians hacked into US electric utilities: 6 essential reads

READ MORE

Synchrophasors and the Smart Grid

How Synchrophasors are Bringing the Grid into the 21st Century

READ MORE