Kaspersky announces Energetic Bear APT analysis report: Targeting European and U.S. Energy and Industrial Sectors

by do son · April 26, 2018

Recently, Kaspersky analyzed the services damaged by the Energetic Bear APT and determined to some extent that the organization operated for the benefit of acceptance of orders from its external customers. Kaspersky Lab ICS CERT reports provide information about the identified servers that have been infected and used by the population. In addition, the report also includes analysis of the Energetic Bear attacks on several web servers in 2016 and early 2017.

Energetic Bear has been active since 2010. The organization tends to attack different companies, focusing mainly on the energy and industrial sectors. According to statistics, the Energetic Bear attacks on the company’s global concentration is relatively obvious, in general, mainly in Europe and the United States. In 2016-2017, the number of Turkish companies suffering from Energetic Bear attacks also increased significantly.

The main strategies of the Energetic Bear organization include sending phishing emails with malicious files and infecting various servers. Energetic Bear uses some infected servers for secondary purposes — such as hosting tools and logs. Other servers were deliberately infected to use them in water pit attacks to achieve the organization’s main goal.

The analysis results of the damaged server and the attacker’s activities on these servers are as follows:

In rare cases, the organization can use publicly available utilities to attack, so that the task of attribution of attack becomes very difficult without any additional group “marking”;
Potentially, any attackable server on the Internet will be of interest to the attacker when the attacker wants to establish a foothold to develop further attacks on the target facility.
In most cases observed, the organization obtains various host persistence and steals authentication data by performing tasks related to searching for vulnerabilities.
The diversity of victims may indicate the diversity of the interests of attackers.
To some extent, it can be said with certainty that the organization services its interests or obtains orders from its external customers, through the implementation of initial data collection, stealing authentication data to obtain persistent development suitable for attacking resources.

It is worth noting that Energetic Bear discussed the US organization’s recent activities in the US-CERT consultation, which links it to the Russian government.