Connection between infected computers and their command. Image: Kaspersky
Energetic Bear, a malware campaign that was initially thought to have come from Russia and only target power grids, is much more widespread and potentially dangerous than cybersecurity experts first imagined.A new report by the Kaspersky Lab indicates that the malware has infected thousands of high-profile targets in various industries across the globe and that it likely wasn't a Russian invention. In fact, we really don't know where it came from. To reflect its mysterious origins, the campaign's been given a new name: Crouching Yeti.According to the report, Crouching Yeti has been operating since at least 2010 and has infected roughly 2,800 targets in 38 countries, and in industries as diverse as education and pharmaceuticals.This finding is both concerning and confounding; concerning, because the campaign's victims are all leaders in their field—though the report doesn't name them—and the clear goal is to glean sensitive information and trade secrets. It's confounding because the experts tracking the malware are essentially left to wonder why."This victims' list reinforces the interests shown by the Crouching Yeti actor in strategic targets, but also shows the interest of the group in many other not-so-obvious institutions," the report states. "We believe they might be collateral victims, but it might also be fair to redefine the Crouching Yeti actor not only as a highly targeted one in a very specific area of interest, but a broad surveillance campaign with interests in different sectors.""We will continue monitoring this actor," Kaspersky Lab researchers continued.As for the malware's newly obfuscated source, the Kaspersky Lab found "a complete lack of Cyrillic content" in its code, meaning it probably didn't come from Russia."There simply is no one piece or set of data that would lead to the conclusion that the threat actor is Bear, Kitten, Panda, Salmon [code names for nation-states], or otherwise," according to the report.But the campaign does contain a few clues as to its origins. Most of the text in the malware's backdoor code is written in English, with French and Swedish words thrown in. Equally baffling is the question of whether the malware came from a government or a rogue group of independent hackers.Crouching Yeti isn't nearly as complex as other malware campaigns suspected to come from nation-states such as Careto, which has been targeting various world power brokers since 2007. According to the report, Yeti is actually really simple by comparison.The malware infected computers using simple Trojan viruses embedded in PDFs and software installers. These Trojans then connected the infected system to a large network of hacked websites that issued commands and hosted malware modules and victim information. None of the hacks were zero-day, meaning that they all used previously discovered or otherwise well-known backdoors. The campaign's approach, the report says, is "simple, but effective."At this point, security experts can't do much more than monitor Crouching Yeti's development and remind people to update their software. Hopefully, the massive malware campaign's creators and true goals will be uncovered as clues add up. Until then, it will likely continue to infect and observe the computer systems of the world's major industry players for unknown parties, and with an unknown motive.
Advertisement