VENOMOUS BEAR is an advanced, Russia-based adversary that’s been active since at least 2004. Some of it’s aliases include Turla, Snake, and Krypton. Recent public reporting has surfaced indicating that this threat actor is suspected of breaching a Western government’s foreign ministry, and there have been new innovations by this threat group in its tools and capabilities.
Venomous Bear’s Methods
Venomous Bear has deployed malware to targets using several novel methods, including trojanized software and the infection of removable storage devices. The majority of tooling used by the adversary appears to be created in-house and represents a rich set of malware, which is extremely complex and provides interoperability between variants as they are developed over time. This actor has developed tools for multiple platforms, including Windows, Mac, and Linux.
Large parts of VENOMOUS BEAR operational infrastructure have been supported by a complex and distinctively deniable network, established using a combination of compromised servers acting as proxies and spoofing techniques likely supported by a nation-state-level signals intelligence (SIGINT) capability. VENOMOUS BEAR has also conducted operations via spear-phishing emails containing malicious attachments or using compromised legitimate websites in strategic web compromise (SWC) activity.
Venomous Bear’s Targets
Primary targets for this adversary are in the government, aerospace, NGO, defense, cryptology and education sectors. This adversary was particularly active in early to mid-2015 when it was observed carrying out SWC attacks via numerous compromised embassy, government, educational and non-governmental organization (NGO) websites.
Other Known Russian-Based Adversaries
Curious about other nation-state adversaries? Visit our threat actor center to learn about the new adversaries that the CrowdStrike team discovers.
To learn more about how to incorporate intelligence on threat actors like VENOMOUS BEAR into your security strategy, please visit the Falcon Intelligence product page.