Kaspersky Lab experts have discovered a number of servers that have been compromised by the group and belong to various organizations based in Russia, the US, Turkey and European countries. These servers are not exclusively limited to industrial companies. In 2016 and 2017, they were misused for various purposes - in addition to watering holes, in some cases they were used as intermediaries for attacks on other resources.

Attacks commissioned by third parties?

"Crouching Yeti is a notorious Russian-speaking group that has been active for many years and is still successfully attacking industrial organizations through watering hole attacks and other techniques," said Vladimir Dashchenko, Head of Vulnerability Research Group at Kaspersky Lab ICS CERT. "Our findings show that the group compromised servers not only to create watering holes, but also for further scanning and actively used open source tools that make identification difficult after the fact. The group's activities such as initial data collection, theft of authentication credentials and resource scanning are used to launch further attacks. The variety of infected servers and scanned resources indicates that the group may be acting in the interests of third parties."

International websites were scanned

During the analysis of infected servers, the experts identified numerous websites and servers used by organizations in Russia, the USA, Europe, Asia and Latin America. The attackers had scanned these with various tools to potentially find a server that they could compromise and host their tools to then design an attack. Some of the scanned sites may have been of interest to the attackers as candidates for watering holes. The range of websites and servers that attracted the intruders' attention is extensive. According to the security experts, the attackers have scanned numerous websites of different types: including online stores as well as online service providers, public organizations, NGOs, manufacturing companies and many others.

The security researchers also found that the group used publicly available malicious tools to analyze servers and to find and collect information. A modified sshd file with a pre-installed backdoor was also discovered. This could be authorized with a "master password" and was used to replace the original file.

How companies protect themselves

According to Kaspersky Lab, organizations should implement comprehensive measures against current threats, consisting of the use of dedicated security solutions for targeted attack detection and incident response as well as expert services and threat intelligence. As part of Kaspersky Threat Management and Defense, the Anti-Targeted Attack platform detects attacks at an early stage by analyzing suspicious network activity, while Kaspersky Endpoint Detection and Response provides enhanced endpoint visibility, investigation capabilities and response automation. These are complemented by global threat intelligence and Kaspersky expert services specializing in threat hunting and incident response.

How do you recognize a Crouching-Yeti infection?

Reliable antivirus products, such as Kaspersky Anti-Virus, can identify the threat. Kaspersky products detect the malware used in the Crouching Yeti campaign with the following threat definitions:

● Trojan.Win32.Sysmain.xxx
● Trojan.Win32.Havex.xxx
● Trojan.Win32.ddex.xxx
● Backdoor.MSIL.ClientX.xxx
● Trojan.Win32.Karagany.xxx
● Trojan-Spy.Win32.HavexOPC.xxx
● Trojan-Spy.Win32.HavexNk2.xxx
● Trojan-Dropper.Win32.HavexDrop.xxx
● Trojan-Spy.Win32.HavexNetscan.xxx
● Trojan-Spy.Win32.HavexSysinfo.xxx

How can I protect myself from Crouching Yeti?

● Always keep your software up to date. So far, Crouching Yeti has not used any zero-day exploits - so most of the infections so far could have been prevented by simply updating third-party software.
● Install a security solution and keep it up to date to avoid virus infections.
● Education is also an important aspect of security, especially with regard to spear phishing.