{"id":1310,"date":"2014-08-04T16:51:53","date_gmt":"2014-08-04T20:51:53","guid":{"rendered":"http:\/\/www.kaspersky.com.tr\/blog\/?p=1310"},"modified":"2020-02-26T18:36:32","modified_gmt":"2020-02-26T15:36:32","slug":"siber-casusluk-kampanyasi-crouching-yeti-halen-aktif","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/siber-casusluk-kampanyasi-crouching-yeti-halen-aktif\/1310\/","title":{"rendered":"Siber Casusluk Kampanyas\u0131 Crouching Yeti Halen Aktif"},"content":{"rendered":"

Crouching Yeti halen aktif ve de kurban listesini geni\u015fletmek istiyor.\u00a0<\/strong>Kaspersky Lab, \u015firketin Global Ara\u015ft\u0131rma ve Analiz Ekibi (GReAT) taraf\u0131ndan yap\u0131lan, Crouching Yeti olarak bilinen siber casusluk kampanyas\u0131na ili\u015fkin detaylar\u0131 a\u00e7\u0131klad\u0131. K\u00f6keni 2010 y\u0131l\u0131 sonlar\u0131na kadar uzanan ve bug\u00fcn de kesinlikle hala hayatta olan kampanya her g\u00fcn yeni kurbanlar\u0131n\u0131 ar\u0131yor.<\/span><\/p>\n

Kaspersky Lab Ba\u015f G\u00fcvenlik Ara\u015ft\u0131rmac\u0131s\u0131 Nicolas Brulez,<\/span><\/strong>\u00a0bu tehditle ilgili \u015f\u00f6yle konu\u015ftu:\u00a0 \u201cEnergetic Bear, Crowd Strike taraf\u0131ndan kendi terminolojilerine g\u00f6re bu kampanyaya verilen ilk isim olmu\u015ftu. Crowd Strike bu kampanyan\u0131n Rus k\u00f6kenli oldu\u011funa inan\u0131yor. Kaspersky Lab, hala mevcut t\u00fcm ipu\u00e7lar\u0131n\u0131 ara\u015ft\u0131r\u0131yor; ancak \u015fu anda her iki tarafta da g\u00fc\u00e7l\u00fc bir sonuca ula\u015f\u0131lamad\u0131. Ayr\u0131ca yapt\u0131\u011f\u0131m\u0131z analizler, sald\u0131rganlar\u0131n k\u00fcresel oda\u011f\u0131n\u0131n elektrik \u00fcreticilerinden \u00e7ok daha geni\u015f oldu\u011funu g\u00f6stermekted. Bu verilere dayanarak, bu olguya yeni bir isim vermeye karar verdik: Bir ay\u0131y\u0131 and\u0131ran ve gizemli bir k\u00f6kene sahip bir Yeti<\/em>\u201c.<\/span><\/p>\n

Bir\u00e7ok farkl\u0131 sekt\u00f6r\u00fc tehdit ediyor<\/span><\/strong><\/p>\n

Energetic Bear\/Crouching Yeti, \u00e7ok say\u0131da geli\u015fmi\u015f s\u00fcrekli tehdit (APT) kampanyas\u0131na\u00a0 dahil oldu. Kaspersky Lab\u2019\u0131n ara\u015ft\u0131rmas\u0131na g\u00f6re kurbanlar\u0131n\u0131n, \u00f6nceden d\u00fc\u015f\u00fcn\u00fcld\u00fc\u011f\u00fcnden \u00e7ok daha geni\u015f bir aral\u0131kta i\u015fletmeler oldu\u011fu g\u00f6r\u00fcl\u00fcyor. Kurbanlar b\u00fcy\u00fck oranda end\u00fcstriyel\/makine, \u00fcretim, ila\u00e7, in\u015faat, e\u011fitim ve bilgi teknolojileri sekt\u00f6rlerinden.<\/span><\/p>\n

Bilinen kurbanlar\u0131n toplam say\u0131s\u0131 d\u00fcnya \u00e7ap\u0131nda 2800\u2019den fazla. Bunlar\u0131n aras\u0131nda Kaspersky Lab ara\u015ft\u0131rmac\u0131lar\u0131n\u0131n tan\u0131mlamay\u0131 ba\u015fard\u0131\u011f\u0131 101 organizasyon da bulunuyor. Bu kurban listesi, Crouching Yeti\u2019nin stratejik hedeflere olan ilgisini ortaya koysa da ayn\u0131 zamanda \u00e7ok say\u0131da \u00e7ok bilinmeyen di\u011fer kurumlardaki baz\u0131 gruplarla da ilgilendi\u011fini g\u00f6steriyor. Kaspersky Lab uzmanlar\u0131, bu gruplar\u0131n ikincil kurbanlar olabilece\u011fine, ancak yine de Crouching Yeti\u2019yi yaln\u0131zca olduk\u00e7a belirli bir alanda \u00fcst d\u00fczey hedefleri olan bir kampanya olarak de\u011fil, ayn\u0131 zamanda farkl\u0131 sekt\u00f6rlerde \u00e7\u0131karlar\u0131 olan geni\u015f bir kampanya olara yeniden tan\u0131mlaman\u0131n mant\u0131kl\u0131 olabilece\u011fine inanmakta.<\/span><\/p>\n

Sald\u0131r\u0131ya u\u011frayan kurulu\u015flar \u00e7o\u011funlukla Amerika Birle\u015fik Devletleri, \u0130spanya ve Japonya\u2019da bulunurken, Almanya, Fransa, \u0130talya, T\u00fcrkiye, \u0130rlanda, Polonya ve \u00c7in\u2019de de kurbanlar oldu. Bilinen kurbanlar\u0131n niteli\u011fi g\u00f6z \u00f6n\u00fcne al\u0131nd\u0131\u011f\u0131nda, sald\u0131r\u0131lar\u0131n temel etkisinin ticari s\u0131rlar ve teknik bilgi gibi olduk\u00e7a hassas bilgilerin ortaya \u00e7\u0131kmas\u0131 oldu\u011fu g\u00f6r\u00fclm\u00fc\u015f.<\/span><\/p>\n

Crouching Yeti\u2019nin sofistike bir kampanya oldu\u011funu s\u00f6ylemek zor. \u00d6rne\u011fin, sald\u0131rganlar\u0131n g\u00fcnl\u00fck a\u00e7\u0131klardan yararlanan yaz\u0131l\u0131mlar yerine \u0130nternet \u00fczerinde yayg\u0131n olarak bulunan a\u00e7\u0131klardan yararlanma ama\u00e7l\u0131 kodlar kulland\u0131klar\u0131 g\u00f6r\u00fclm\u00fc\u015f. Yine de bu durum, kampanyan\u0131n birka\u00e7 y\u0131l boyunca radar alt\u0131nda kalmas\u0131na engel olmam\u0131\u015f.<\/span><\/p>\n

Kaspersky Lab ara\u015ft\u0131rmac\u0131lar\u0131, ihlal edilen sistemlerden de\u011ferli bilgileri toplama amac\u0131yla sald\u0131rganlar taraf\u0131ndan
\nkullan\u0131lan be\u015f adet zararl\u0131 yaz\u0131l\u0131m oldu\u011funa dair kan\u0131t buldular:<\/span><\/p>\n

\u00b7\u00a0Havex trojan\u0131<\/span><\/p>\n

\u00b7\u00a0Sysmain trojan\u0131<\/span><\/p>\n

\u00b7\u00a0ClientX arka kap\u0131s\u0131<\/span><\/p>\n

\u00b7\u00a0Karagany arka kap\u0131s\u0131 ve ili\u015fki \u00e7alan yaz\u0131l\u0131mlar<\/span><\/p>\n

\u00b7\u00a0Kanal hareket ve ikinci a\u015fama ara\u00e7lar<\/span><\/p>\n

En yayg\u0131n olarak kullan\u0131lan ara\u00e7, Havex Trojan\u0131 oldu. Kaspersky Lab ara\u015ft\u0131rmac\u0131lar\u0131 bu zararl\u0131 program\u0131n toplam 27 farkl\u0131 s\u00fcr\u00fcm\u00fcn\u00fc ve end\u00fcstriyel kontrol sistemlerinden veri toplama ama\u00e7l\u0131 ara\u00e7lar da dahil olmak \u00fczere \u00e7e\u015fitli ek
\nmod\u00fcller oldu\u011funu ke\u015ffetti. Kaspersky Lab \u00fcr\u00fcnleri, bu kampanyada kullan\u0131lan t\u00fcm zararl\u0131 yaz\u0131l\u0131m t\u00fcrevlerini tespit ediyor ve ortadan kald\u0131r\u0131yor.<\/span><\/p>\n

CrouchingYeti taraf\u0131ndan kullan\u0131lan Havex ve di\u011fer zararl\u0131 yaz\u0131l\u0131m ara\u00e7lar\u0131, komuta ve kontrol i\u00e7in, hacklenmi\u015f web sitelerinden olu\u015fan b\u00fcy\u00fck bir a\u011fa ba\u011flan\u0131yor. Bu siteler, kurbanlara ait bilgileri bar\u0131nd\u0131r\u0131r ve ilave k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m
\nmod\u00fclleri ile birlikte vir\u00fcs bula\u015fm\u0131\u015f sistemlere komut hizmeti veriyor. Mevcutta Havex Trojan\u0131\u2019n\u0131n, sald\u0131rgan\u0131n belirli end\u00fcstriyel BT ortamlar\u0131ndan veri toplamas\u0131n\u0131 ve yay\u0131nlamas\u0131n\u0131 sa\u011flayan \u00e7ok \u00f6zel iki mod\u00fcle sahip oldu\u011fu
\nbilinmekte.<\/span><\/p>\n

K\u00f6keni gizemli<\/span><\/strong><\/p>\n

Kaspersky Lab ara\u015ft\u0131rmac\u0131lar\u0131, bu kampanyan\u0131n arkas\u0131ndaki su\u00e7lular\u0131n ulusal k\u00f6kenini i\u015faret edebilecek baz\u0131 meta \u00f6zellikler oldu\u011funu g\u00f6zlemlemi\u015f. \u00d6zellikle, 154 adet dosyada zaman damgas\u0131 analizi yap\u0131lm\u0131\u015f ve \u00f6rneklerin \u00e7o\u011funun 06:00 ve 16:00 UTC aras\u0131nda derlendi\u011fi sonucuna var\u0131lm\u0131\u015f. Bu da Do\u011fu Avrupa\u2019n\u0131n yan\u0131 s\u0131ra Avrupa\u2019daki herhangi bir \u00fclkeyi i\u015faret edebilir.<\/span><\/p>\n

Uzmanlar ayr\u0131ca akt\u00f6r\u00fcn dilini de analiz etti. Analiz edilen k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131mda bulunan dizeler (anadili
\n\u0130ngilizce olmayanlar taraf\u0131ndan yaz\u0131lm\u0131\u015f) \u0130ngilizce. Bu kampanyay\u0131 analiz etmi\u015f bir\u00e7ok ara\u015ft\u0131rmac\u0131n\u0131n aksine Kaspersky Lab uzmanlar\u0131, bu akt\u00f6r\u00fcn Rus k\u00f6kenli oldu\u011fu gibi kesin bir sonuca ula\u015famam\u0131\u015f. Neredeyse 200 adet k\u00f6t\u00fc niyetli ikili dosyan\u0131n ve ilgili operasyonel i\u00e7eri\u011fin tamam\u0131nda, Kaspersky Lab\u2019\u0131n Red October, Miniduke, Cosmicduke, Snake ve TeamSpy ara\u015ft\u0131rmalar\u0131 sonucu belgeledi\u011fi bulgular\u0131n aksine, Kiril i\u00e7eri\u011fin (veya \u00e7evirisinin) eksikli\u011fi mevcut. Ayr\u0131ca, Frans\u0131zca ve \u0130sve\u00e7\u00e7e konu\u015fuldu\u011funa dair ipu\u00e7lar\u0131 da bulunmu\u015f.<\/span><\/p>\n

Emniyet te\u015fkilat\u0131 ve end\u00fcstri ortaklar\u0131 ile birlikte \u00e7al\u0131\u015fan Kaspersky Lab uzmanlar\u0131, bu kampanyayla ilgili
\nara\u015ft\u0131rmalar yapmaya devam ediyor. Ara\u015ft\u0131rman\u0131n tam metnine\u00a0<\/span>Securelist.com<\/span><\/a>\u00a0adresinden ula\u015fabilirsiniz.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

Crouching Yeti halen aktif ve de kurban listesini geni\u015fletmek istiyor.\u00a0Kaspersky Lab, \u015firketin Global Ara\u015ft\u0131rma ve Analiz Ekibi (GReAT) taraf\u0131ndan yap\u0131lan, Crouching Yeti olarak bilinen siber casusluk kampanyas\u0131na ili\u015fkin detaylar\u0131 a\u00e7\u0131klad\u0131.<\/p>\n","protected":false},"author":350,"featured_media":1311,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1287],"tags":[744,614],"class_list":{"0":"post-1310","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"tag-guvenlik","9":"tag-hedeflisaldiri"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/siber-casusluk-kampanyasi-crouching-yeti-halen-aktif\/1310\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/guvenlik\/","name":"G\u00fcvenlik"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/1310","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/350"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=1310"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/1310\/revisions"}],"predecessor-version":[{"id":7771,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/1310\/revisions\/7771"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/1311"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=1310"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=1310"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=1310"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}