APTs Tracked in October: Venomous Bear

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

Venomous Bear is another group that was quite active in October. This threat group (also known as Turla, Snake, Uroboros) is an advanced, Russia-based adversary that typically targets foreign governments, defense technologies, and education sectors. Their first sighting involved the use of a Remote Access Trojan (RAT) named Reductor. This malware allowed attackers to take full control over the victim system while also making modifications to browser configurations. These modifications act like a tracking mechanism for TLS traffic. It is not yet known what this information will be used for. In mid-October a campaign was observed where Venomous Bear appears to be using Iranian cyber-espionage tools and masquerading as attackers from the Islamic Republic. The current campaign has used tools from the Iranian APT known as Helix Kitten (APT34) to successfully attack organizations in at least 20 different countries over the last 18 months, according to British security officials. Researchers do not believe the two groups are colluding, but rather, it appears that Venomous Bear infiltrated Helix Kitten’s infrastructure. According to information provided by the NSA and GCHQ, The Russian group was also able to access the networks of existing Helix Kitten victims and even access the code needed to build its own “Iranian” hacking tools.