Energetic Bear  (Back to overview)

aka: Dragonfly, Crouching Yeti, Group 24, Havex, CrouchingYeti, Koala Team, IRON LIBERTY

A Russian group that collects intelligence on the energy industry.


Associated Families
php.wso win.dorshel win.havex_rat win.heriplor win.karagany win.listrix

References
http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans
http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf
https://attack.mitre.org/groups/G0035/
https://dragos.com/wp-content/uploads/CrashOverride-01.pdf
1 https://github.com/wso-shell
1 https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html
1 https://securelist.com/energetic-bear-crouching-yeti/85345/
https://ssu.gov.ua/sbu/control/uk/publish/article?art_id=170951&cat_i=39574
https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/
https://www.cfr.org/interactive/cyber-operations/crouching-yeti
1 https://www.f-secure.com/weblog/archives/00002718.html
https://www.independent.ie/irish-news/statesponsored-hackers-targeted-eirgrid-electricity-network-in-devious-attack-36005921.html
https://www.kaspersky.com/resource-center/threats/crouching-yeti-energetic-bear-malware-threat
https://www.reuters.com/article/us-ukraine-cyber-attack-energy-idUSKBN1521BA
https://www.riskiq.com/blog/labs/energetic-bear/
https://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672
https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector
1 https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector
https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks
4 https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group

Credits: MISP Project