An old foe’s footprints muddle the mystery around group responsible for energy sector hacks

The leading suspect behind the incident is a group associated with past operations tied to Russia. Yet there is a division among experts if that activity can be tied to the Kremlin.

Though leading cybersecurity firms are closing in on the hackers responsible for a recent email phishing campaign and watering hole scheme designed to target U.S. energy companies, the available evidence points to an amorphous group that hasn’t been active for three years. It’s yet another mystery within an already complex case.

The leading suspect behind this incident, according to cybersecurity experts and former U.S. intelligence officials, is a group associated with past operations tied to Russia. Known as “Energetic Bear,” “Koala Team” or “Crouching Yeti” to the information security community, the unit has a long history of targeting the energy sector and exploiting outdated vulnerabilities in Microsoft Word and Adobe Flash.

“Koala Team is a prolific cyber espionage actor that has affected a comprehensive set of verticals using a combination of opportunistic and targeted tactics since at least 2011,” Cristiana Brafman Kittner, a senior analyst with U.S. cybersecurity firm FireEye, told CyberScoop. “Koala Team’s operations are believed to have a strong nexus to industrial espionage and reconnaissance across multiple sectors, particularly, energy, academia, and pharmaceutical.”

On June 28, the FBI and Department of Homeland Security sent out a warning to U.S. energy companies to be on the lookout for an advanced persistent threat (APT) that was working to “harvest credentials in order to establish persistence on victims’ networks” by using spear phishing emails and infected websites commonly visited by energy sector employees, according to a joint analysis report labeled “TLP:AMBER.”


Noteworthy similarities exist between the recently uncovered hacking operation aimed at the U.S. energy sector and past data breach incidents previously attributed to Energetic Bear, cybersecurity experts say. But analysts disagree on who exactly Energetic Bear is and to what degree the group is definitively involved in ongoing intrusion attempts against U.S. companies.

“Targeting of the energy sector and the use of watering hole tactics and spear-phishing campaigns are characteristic of cyber espionage activity, particularly from Russian actors,” Brafman Kittner said. “[However,] at this time, tactics, techniques, and procedures (TTPs), infrastructure, tools used, and victimology … are insufficient to definitively attribute this activity to a particular group.”

With that being said, “the TTPs observed in 2014, and most recently are similar, and do not appear to have changed noticeably,” Kittner said. “Often times, we see even the most sophisticated actors leveraging the simplest method to achieve success.”

The uncertainty among analysts is driven, at least in part, by a lack of current visibility into the group’s operations.

“We have not definitely attributed any cyber espionage activity to Koala Team since 2014,” Kittner said.


The private sector lost track of Energetic Bear after the group seemingly disappeared three years ago. In the summer of 2014, security companies published reports on the group, including its use of several unique remote access trojans (RATs).

“Since the public disclosures, no new builds of the malware used by Energetic Bear – primarily the Havex and SYSMain RATs – have been observed. This toolset has seen several evolutionary developments over a period spanning at least five years, and its loss is likely to cause the adversary to enter a retooling phase,” CrowdStrike noted in a 2014 analysis. “The underlying intelligence requirements driving their operations are unlikely to change, however, and it is likely that ENERGETIC BEAR will re-emerge with a new toolset in the future.”

Cybersecurity firms typically study hacker activity by collecting information from a network of customer systems, internet sensors and malware captured by anti-virus products. Variance in customer groups between companies can affect the insight each company provides into specific threats.

“After our 2014 research publication, we saw the group we considered ‘Crouching Yeti’ close down their operations,” said Kurt Baumgartner, principal security researcher with Kaspersky Lab’s Global Research and Analysis Team. “Our visibility didn’t provide any new observations into new Crouching Yeti activity.”

Energetic Bear has been active since at least 2010, according to Kaspersky Lab.


U.S.-based cybersecurity companies CrowdStrike and FireEye first discovered the group in 2012 and 2011, respectively.

The potential reemergence of Energetic Bear may be indicative of an increasingly busy threat landscape, where nations are already actively competing with one another to compromise critical infrastructure systems.

It’s unclear to what degree Energetic Bear is associated with other high profile Russian hacking groups, including APT29 and APT28 also known as Cozy Bear and Fancy Bear — which are believed to work with Russian intelligence and military units. A technical analysis conducted by U.S. cybersecurity firm CrowdStrike previously associated Energetic Bear with Russia’s Federal Security Service, or FSB.

Other firms, however, aren’t as sure that Energetic Bear is connected to a Russian government agency.

“The activity that we identified at the time did not show any clear or obvious regional connections,” Baumgartner said. “Even targeting evaluation did not necessarily help [with attribution].”


The Washington Post reported Sunday that an internal National Security Agency analysis of the aforementioned watering hole and email phishing campaign pointed to FSB involvement. Some cybersecurity experts with access to samples of the malicious emails say that it’s still too early to make attribution claims.

Adam Meyer, head of CrowdStrike’s threat intelligence unit, described Energetic Bear in April 2015 as “an adversary group out of the Russian Federation that has been conducting broad intelligence collection operations against the energy sector and demonstrated the ability to interact with OPC (Object Linking and Embedding for Process Control).”

“As looming energy crises and market fluctuation continue to impact international discourse, the oil and gas industry will continue to be in the cross hairs of numerous state sponsored computer network operations programs,” Meyer wrote in a 2015 blogpost.

A CrowdStrike spokesperson said the firm was unable to further comment for this story.


Kaspersky Lab researchers previously found that Energetic Bear had successfully hacked into more than 2,800 individual organizations between 2010 and 2014, with a majority of known victims based in the U.S. and Spain.

In the past, Energetic Bear relied on phishing emails, trojanized software installers and waterhole attacks using a variety of re-used exploits to penetrate businesses operating in multiple sectors, including manufacturing, pharmaceutical, construction, education and information technology.

“In 2014, they ripped exploits from Metasploit, and poisoned ICS-related software installers with backdoors,” said Baumgartner. “So the most interesting piece to me about the group was their ability to target and compromise sites and resources serving the installers, and for use in their watering holes.”

In at least one case, the group previously booby-trapped a web property known for posting news, updates and other information about supervisory control and data acquisition (SCADA) systems, said John Hultquist, head of FireEye’s cyber-espionage analysis division. A similar technique was recently seen being leveraged against American companies.

“The most important infection vector [for Energetic Bear] is compromised SCADA software sites because it helps people understand them,” Hultquist said. “That activity shows a deliberate attempt to compromise control systems” and not just front offices.


Hultquist said that the most recent batch of malicious emails could be tied to an international cyber-espionage operation that dates at least to 2015.

FireEye has yet to publicly attribute the campaign to any one specific hacking group.

Latest Podcasts