FlyingYeti (UAC-0149) – Threat Actor

Overview

Government Organizations

Military Institutions

Critical Infrastructure

Diplomatic Entities

Geopolitical Research Centers

Attack vectors

Phishing Emails

Exploitation of Vulnerabilities

Malicious Attachments

Remote Desktop Protocol (RDP) Exploitation

Credential Dumping

How they operate

Flying Yeti employs a sophisticated and multi-faceted approach to execute their cyber espionage operations. Their primary mode of attack involves spear-phishing campaigns, where they craft highly targeted emails designed to trick recipients into downloading malicious attachments or clicking on harmful links. These phishing emails often masquerade as legitimate communications, making it challenging for victims to discern the malicious intent. Once the recipient interacts with the phishing email, it may deploy malware that establishes a foothold within the victim’s network.

Upon successful infiltration, Flying Yeti utilizes a range of tools and techniques to further their objectives. They frequently exploit known vulnerabilities in software to escalate their access privileges and move laterally within the network. This exploitation is often coupled with the deployment of web shells, which provide persistent access and control over compromised systems. Additionally, the group leverages Remote Desktop Protocol (RDP) exploitation to remotely access and manipulate systems, enhancing their ability to execute commands and gather sensitive information.

To maintain control over their compromised infrastructure, Flying Yeti establishes command and control (C2) servers that facilitate communication between the attackers and their malware. These C2 servers are crucial for issuing commands, exfiltrating data, and receiving updates from the malware. Credential dumping is another key tactic used by the group, allowing them to harvest and misuse legitimate user credentials to further infiltrate the network and gain unauthorized access to additional systems and data.

MITRE Tactics and Techniques

Initial Access (TA0001)

Execution (TA0002)

Persistence (TA0003)

Privilege Escalation (TA0004)

Defense Evasion (TA0005)

Credential Access (TA0006)

Discovery (TA0007)

Lateral Movement (TA0008)

Collection (TA0009)

Command and Control (TA0011)

Exfiltration (TA0010)

Impact / Significant Attacks

Energy Sector Attacks (2014-2017): Flying Yeti targeted entities within the energy sector, particularly in the Middle East. These attacks were characterized by sophisticated spear-phishing campaigns and the deployment of custom malware to compromise industrial control systems.

Aviation Industry Breach (2016): The group targeted aviation industry organizations, gaining access to sensitive operational data. This breach was part of a larger campaign aimed at gathering intelligence on critical infrastructure and logistics.

Financial Sector Incidents (2017): Flying Yeti conducted cyber espionage operations against financial institutions, focusing on acquiring financial data and insights into economic activities. These attacks involved exploiting vulnerabilities in financial systems and deploying advanced malware.

Telecommunications Attacks (2018): The threat actor targeted telecommunications companies to gather information related to network operations and communication infrastructure. The attacks involved sophisticated phishing tactics and network exploitation techniques.

Healthcare Sector Breach (2019): Flying Yeti compromised healthcare organizations to steal sensitive patient data and medical research information. The attacks utilized targeted spear-phishing emails and advanced malware to infiltrate the networks.

Government Agency Compromise (2020): The group was involved in attacks against government agencies, where they sought to gain access to classified and sensitive governmental information. The attack vectors included sophisticated phishing campaigns and exploitation of known software vulnerabilities.

References:

• Disrupting FlyingYeti’s campaign targeting Ukraine