Full Report
This report by Kaspersky Lab ICS CERT presents information on identified servers that have been infected and used by the group. The report also includes the findings of an analysis of several webservers compromised by the Energetic Bear group during 2016 and in early 2017.
Analysis Summary
# Threat Actor: Energetic Bear / Crouching Yeti
## Attribution & Identity
* **Primary Names:** Energetic Bear, Crouching Yeti.
* **Aliases:** DragonOK, DYMALLOY, Havex Team.
* **Associations:** Some community members link the group to the Russian Federation (FSB-associated), though this specific report focuses on technical activity rather than geopolitical attribution.
* **Active Since:** Approximately 2010; the report specifically analyzes campaigns from 2016 through early 2017.
## Activity Summary
The report details a campaign targeting various web servers to use as multi-purpose infrastructure. The group compromised servers to host malware, act as Command and Control (C2) nodes, and serve as platforms for watering hole attacks. Key activities included the exploitation of vulnerabilities in web applications (specifically CMS platforms) to gain initial access and the subsequent deployment of various scripts and tools to maintain persistence and conduct lateral movement.
## Tactics, Techniques & Procedures
* **Initial Access:** Exploitation of known vulnerabilities in web servers (WordPress, Joomla) via automated scanners.
* **Credential Access:** Use of a modified script to capture SMB hashes (LLMNR/NBNS poisoning-like behavior) by forcing authentication to an actor-controlled server.
* **Persistence:** Deployment of various PHP web shells to maintain access to compromised web servers.
* **Collection:** Use of custom Perl scripts to search for sensitive files (passwords, configuration files) within the file system.
* **Lateral Movement:** Utilizing compromised infrastructure to scan and probe further targets within the same or associated networks.
* **Watering Hole Attacks:** Injecting malicious JS code into legitimate websites to redirect or capture information from visitors.
## Targeting
* **Sectors:** Industrial Control Systems (ICS), Energy, Manufacturing, Pharmaceutical, Construction, and Aerospace.
* **Geography:** Primarily Europe and the United States, with significant activity noted in Turkey, Greece, and Germany.
* **Victims:**
* Industrial automation companies.
* Educational institutions.
* Governmental organizations.
* Service providers (ISP/Web hosting).
## Tools & Infrastructure
* **Malware Families:**
* **Havex:** Historically associated (RAT).
* **PHP Shells:** Various obfuscated PHP shells (e.g., b374k).
* **Tools:**
* Custom Perl scripts for reconnaissance.
* Modified open-source tools for SMB credential harvesting.
* Nmap and masscan for network scanning.
* **Infrastructure (Defanged):**
* **C2/Host Domains:** hxxp[://]fav-icons[.]com, hxxp[://]p-90[.]xyz
* **IP Addresses:** 167[.]114[.]13[.]141, 5[.]9[.]48[.]145
* **Compromised Servers:** Numerous legitimate but vulnerable WordPress and Joomla sites.
## Implications
Energetic Bear represents a sophisticated threat to industrial sectors. Their ability to compromise "middle-man" infrastructure (legitimate third-party servers) makes attribution and detection difficult. By targeting the supply chain and supporting infrastructure of ICS entities, they gain a strategic foothold that can be used for long-term espionage or, potentially, disruptive operations against critical infrastructure.
## Mitigations
* **Web Server Hardening:** Regularly update CMS platforms (WordPress/Joomla) and plugins to the latest versions.
* **Network Segmentation:** Isolate web-facing servers from internal ICS networks.
* **SMB Security:** Block outbound SMB traffic (ports 139/445) to the internet to prevent credential harvesting via leaked hashes.
* **Monitoring:** Implement file integrity monitoring (FIM) on web servers to detect the unauthorized upload of PHP shells or scripts.
* **Access Control:** Use strong, unique credentials for all administrative interfaces and implement Multi-Factor Authentication (MFA).