For March 2018, it is certainly appropriate that the adversary featured on the CrowdStrike calendar is VENOMOUS BEAR. Recent public reporting has surfaced indicating that this threat actor is suspected of breaching a Western government’s foreign ministry, and there have been new innovations by this threat group in its tools and capabilities.
VENOMOUS BEAR is an advanced, Russia-based adversary that’s been active since at least 2004. Since then, it has deployed malware to targets using several novel methods, including trojanized software and the infection of removable storage devices. The majority of tooling used by the adversary appears to be created in-house and represents a rich set of malware, which is extremely complex and provides interoperability between variants as they are developed over time. This actor has developed tools for multiple platforms, including Windows, Mac, and Linux.
Large parts of VENOMOUS BEAR operational infrastructure have been supported by a complex and distinctively deniable network, established using a combination of compromised servers acting as proxies and spoofing techniques likely supported by a nation-state-level signals intelligence (SIGINT) capability. VENOMOUS BEAR has also conducted operations via spear-phishing emails containing malicious attachments or using compromised legitimate websites in strategic web compromise (SWC) activity.
This adversary was particularly active in early to mid-2015 when it was observed carrying out SWC attacks via numerous compromised embassy, government, educational and non-governmental organization (NGO) websites. Primary targets for this adversary are in the government, aerospace, NGO, defense, cryptology and education sectors.
Community or industry names Turla, Snake, and Krypton have been associated with this actor.
To learn more about how to incorporate intelligence on threat actors like VENOMOUS BEAR into your security strategy, please visit the Falcon Intelligence product page.
Tells us why threat intelligence is critical to effective cybersecurity and you could receive a coveted Adversary Calendar featuring a different adversary each month. Enter to win!