Home Blog APTs Tracked in October: Venomous Bear APTs Tracked in October: Venomous Bear BlueVoyant Share: Facebook Twitter LinkedIn “Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities. Venomous Bear is another group that was quite active in October. This threat group (also known as Turla, Snake, Uroboros) is an advanced, Russia-based adversary that typically targets foreign governments, defense technologies, and education sectors. Their first sighting involved the use of a Remote Access Trojan (RAT) named Reductor. This malware allowed attackers to take full control over the victim system while also making modifications to browser configurations. These modifications act like a tracking mechanism for TLS traffic. It is not yet known what this information will be used for. In mid-October a campaign was observed where Venomous Bear appears to be using Iranian cyber-espionage tools and masquerading as attackers from the Islamic Republic. The current campaign has used tools from the Iranian APT known as Helix Kitten (APT34) to successfully attack organizations in at least 20 different countries over the last 18 months, according to British security officials. Researchers do not believe the two groups are colluding, but rather, it appears that Venomous Bear infiltrated Helix Kitten’s infrastructure. According to information provided by the NSA and GCHQ, The Russian group was also able to access the networks of existing Helix Kitten victims and even access the code needed to build its own “Iranian” hacking tools. Share: Facebook Twitter LinkedIn Related reading Blog Understanding the frailty of the software supply chain In December 2020, the cybersecurity industry faced its latest attack – SolarWinds. This hack reinforces the frailty of not only the software supply chain… Read more Blog Five Steps to Protect Your Supply Chain: A Board-Level Perspective Last month, the cybersecurity industry faced its latest major attack through a third-party IT management software company, SolarWinds. This breach… Read more Blog The Supply Chain is Part of Your Organization’s Security Posture SolarWinds was not the first supply chain cyber attack and it won’t be the last. Everyday companies find themselves compromised through their vendors, who… Read more
BlueVoyant Share: Facebook Twitter LinkedIn “Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities. Venomous Bear is another group that was quite active in October. This threat group (also known as Turla, Snake, Uroboros) is an advanced, Russia-based adversary that typically targets foreign governments, defense technologies, and education sectors. Their first sighting involved the use of a Remote Access Trojan (RAT) named Reductor. This malware allowed attackers to take full control over the victim system while also making modifications to browser configurations. These modifications act like a tracking mechanism for TLS traffic. It is not yet known what this information will be used for. In mid-October a campaign was observed where Venomous Bear appears to be using Iranian cyber-espionage tools and masquerading as attackers from the Islamic Republic. The current campaign has used tools from the Iranian APT known as Helix Kitten (APT34) to successfully attack organizations in at least 20 different countries over the last 18 months, according to British security officials. Researchers do not believe the two groups are colluding, but rather, it appears that Venomous Bear infiltrated Helix Kitten’s infrastructure. According to information provided by the NSA and GCHQ, The Russian group was also able to access the networks of existing Helix Kitten victims and even access the code needed to build its own “Iranian” hacking tools. Share: Facebook Twitter LinkedIn Related reading Blog Understanding the frailty of the software supply chain In December 2020, the cybersecurity industry faced its latest attack – SolarWinds. This hack reinforces the frailty of not only the software supply chain… Read more Blog Five Steps to Protect Your Supply Chain: A Board-Level Perspective Last month, the cybersecurity industry faced its latest major attack through a third-party IT management software company, SolarWinds. This breach… Read more Blog The Supply Chain is Part of Your Organization’s Security Posture SolarWinds was not the first supply chain cyber attack and it won’t be the last. Everyday companies find themselves compromised through their vendors, who… Read more
Blog Understanding the frailty of the software supply chain In December 2020, the cybersecurity industry faced its latest attack – SolarWinds. This hack reinforces the frailty of not only the software supply chain… Read more
Blog Five Steps to Protect Your Supply Chain: A Board-Level Perspective Last month, the cybersecurity industry faced its latest major attack through a third-party IT management software company, SolarWinds. This breach… Read more
Blog The Supply Chain is Part of Your Organization’s Security Posture SolarWinds was not the first supply chain cyber attack and it won’t be the last. Everyday companies find themselves compromised through their vendors, who… Read more
