Meet CrowdStrike’s Adversary of the Month for March: VENOMOUS BEAR

VENOMOUS BEAR is an advanced, Russia-based adversary that’s been active since at least 2004. Some of it’s aliases include Turla, Snake, and Krypton. Recent public reporting has surfaced indicating that this threat actor is suspected of breaching a Western government’s foreign ministry, and there have been new innovations by this threat group in its tools and capabilities.

Venomous Bear’s Methods

Venomous Bear has deployed malware to targets using several novel methods, including trojanized software and the infection of removable storage devices. The majority of tooling used by the adversary appears to be created in-house and represents a rich set of malware, which is extremely complex and provides interoperability between variants as they are developed over time. This actor has developed tools for multiple platforms, including Windows, Mac, and Linux.

Large parts of VENOMOUS BEAR operational infrastructure have been supported by a complex and distinctively deniable network, established using a combination of compromised servers acting as proxies and spoofing techniques likely supported by a nation-state-level signals intelligence (SIGINT) capability. VENOMOUS BEAR has also conducted operations via spear-phishing emails containing malicious attachments or using compromised legitimate websites in strategic web compromise (SWC) activity.

Venomous Bear’s Targets

Primary targets for this adversary are in the government, aerospace, NGO, defense, cryptology and education sectors. This adversary was particularly active in early to mid-2015 when it was observed carrying out SWC attacks via numerous compromised embassy, government, educational and non-governmental organization (NGO) websites.

Other Known Russian-Based Adversaries

Curious about other nation-state adversaries? Visit our threat actor center to learn about the new adversaries that the CrowdStrike team discovers.

Learn More

To learn more about how to incorporate intelligence on threat actors like VENOMOUS BEAR into your security strategy, please visit the Falcon Intelligence product page.
Want the insights on the latest adversary tactics, techniques, and procedures (TTPs)? Download the CrowdStrike 2020 Global Threat Report

Adam Meyers

Adam Meyers has authored numerous papers for peer-reviewed industry venues and has received awards for his dedication to the information security industry. As Vice President of Intelligence for Crowdstrike, Meyers oversees all of CrowdStrike’s intelligence gathering and cyber-adversarial monitoring activities. Previously, Meyers was the Director of Cyber Security Intelligence with the National Products and Offerings Division of SRA International where he provided technical expertise at the tactical level and strategic guidance on overall security program objectives.

Venomous Bear’s Methods

Venomous Bear’s Targets

Other Known Russian-Based Adversaries

Learn More

Adam Meyers

Exploiting GlobalProtect for Privilege Escalation, Part Two: Linux and macOS

Exploiting GlobalProtect for Privilege Escalation, Part One: Windows

Targeted Dharma Ransomware Intrusions Exhibit Consistent Techniques