Three Australian firms in the IT, academic and logistics sectors have been targeted by an advanced persistent threat (APT) campaign that Kaspersky Lab researchers dubbed Crouching Yeti.
The APT is designed to command and control server infrastructure. According to the vendor, 2,800 companies in a range of sectors including manufacturing, education, IT and construction have been affected globally.
Kaspersky Lab researchers identified 101 firms in a document (PDF) including three from Australia.
An academic and research network, IT management/governance firm and a company that provides towing services to the Australian commercial trucking industry were mentioned in the report but not named.
“This list of victims seems to indicate the campaign’s interest in both strategic targets as well as collateral institutions. This helps redefine and extend the campaign towards a broad surveillance function with interests across different sectors,” said a Kaspersky Lab spokesperson.
“Given the nature of the known victims, the main impact is the disclosure of very sensitive information, including trade secrets.”
According to the vendor, Crouching Yeti is not a sophisticated campaign. For example, the spokesperson said that attackers only used exploits that can be found on hacker forums.
One of these exploits is the Havex Trojan, which can be used to gather and transmit attacker’s data from industrial IT environments and control systems.
“Havex Trojan contains an OPC scanner module which is designed to collect extremely detailed data about the OPC servers running in the local network. Such servers are usually used where multiple industrial automation systems are operating,” the spokesperson said.
The OPC module is accompanied by a network scanning tool that is used to scan the local network and find out which OPC or Supervisory Control and Data Acquisition (SCADA) system is running. The scanning tool than transmits data to the command and control servers.
The spokesperson added that Kaspersky Lab staff are “continuing their research” into the Crouching Yeti campaign while working with law enforcement agencies around the world.
Follow Hamish Barwick on Twitter: @HamishBarwickThe season of scams