Meet CrowdStrike’s Adversary of the Month for March: VENOMOUS BEAR

For March 2018, it is certainly appropriate that the adversary featured on the CrowdStrike calendar is VENOMOUS BEAR. Recent public reporting has surfaced indicating that this threat actor is suspected of breaching a Western government’s foreign ministry, and there have been new innovations by this threat group in its tools and capabilities.

VENOMOUS BEAR is an advanced, Russia-based adversary that’s been active since at least 2004. Since then, it has deployed malware to targets using several novel methods, including trojanized software and the infection of removable storage devices. The majority of tooling used by the adversary appears to be created in-house and represents a rich set of malware, which is extremely complex and provides interoperability between variants as they are developed over time. This actor has developed tools for multiple platforms, including Windows, Mac, and Linux.

Large parts of VENOMOUS BEAR operational infrastructure have been supported by a complex and distinctively deniable network, established using a combination of compromised servers acting as proxies and spoofing techniques likely supported by a nation-state-level signals intelligence (SIGINT) capability. VENOMOUS BEAR has also conducted operations via spear-phishing emails containing malicious attachments or using compromised legitimate websites in strategic web compromise (SWC) activity.

This adversary was particularly active in early to mid-2015 when it was observed carrying out SWC attacks via numerous compromised embassy, government, educational and non-governmental organization (NGO) websites. Primary targets for this adversary are in the government, aerospace, NGO, defense, cryptology and education sectors.

Community or industry names Turla, Snake, and Krypton have been associated with this actor.

To learn more about how to incorporate intelligence on threat actors like VENOMOUS BEAR into your security strategy, please visit the Falcon Intelligence product page.

Download the CrowdStrike 2018 Global Threat Report: Blurring the Lines Between Statecraft and Tradecraft.

Tells us why threat intelligence is critical to effective cybersecurity and you could receive a coveted Adversary Calendar featuring a different adversary each month. Enter to win!

Adam Meyers

Adam Meyers has authored numerous papers for peer-reviewed industry venues and has received awards for his dedication to the information security industry. As Vice President of Intelligence for Crowdstrike, Meyers oversees all of CrowdStrike’s intelligence gathering and cyber-adversarial monitoring activities. Previously, Meyers was the Director of Cyber Security Intelligence with the National Products and Offerings Division of SRA International where he provided technical expertise at the tactical level and strategic guidance on overall security program objectives.

Adam Meyers

CrowdStrike Provides Free Dashboard to Identify Vulnerable Macs

OverWatch Insights: Reviewing a New Intrusion Targeting Mac Systems

The Critical Role of the “Human Detection Engine” in Cybersecurity