Home Blog APTs Tracked in October: Venomous Bear APTs Tracked in October: Venomous Bear BlueVoyant Share: Facebook Twitter LinkedIn “Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities. Venomous Bear is another group that was quite active in October. This threat group (also known as Turla, Snake, Uroboros) is an advanced, Russia-based adversary that typically targets foreign governments, defense technologies, and education sectors. Their first sighting involved the use of a Remote Access Trojan (RAT) named Reductor. This malware allowed attackers to take full control over the victim system while also making modifications to browser configurations. These modifications act like a tracking mechanism for TLS traffic. It is not yet known what this information will be used for. In mid-October a campaign was observed where Venomous Bear appears to be using Iranian cyber-espionage tools and masquerading as attackers from the Islamic Republic. The current campaign has used tools from the Iranian APT known as Helix Kitten (APT34) to successfully attack organizations in at least 20 different countries over the last 18 months, according to British security officials. Researchers do not believe the two groups are colluding, but rather, it appears that Venomous Bear infiltrated Helix Kitten’s infrastructure. According to information provided by the NSA and GCHQ, The Russian group was also able to access the networks of existing Helix Kitten victims and even access the code needed to build its own “Iranian” hacking tools. Share: Facebook Twitter LinkedIn Related reading Ransomware Why Are the Consequences of Ransomware Attacks Rarely Fully Understood? May 24, 2022 According to BlueVoyant’s ransomware research, unsuspecting victims suffer the consequences, such as layoffs, medical treatment delays, travel… Read more Ransomware From Ransomware to the U.K.’s Cybersecurity Strategy May 20, 2022 In the past couple of years, ransomware attacks have doubled and – in some instances – quadrupled in frequency, as noted in BlueVoyant’s Ransomware… Read more Microsoft Security BlueVoyant Awarded L4 Cloud Security Rockstar Team from Microsoft Private Security Community May 17, 2022 This week, Caleb Freitas and Mona Ghadiri received the L4 Cloud Security Rockstar Team award on behalf of BlueVoyant. Read more
BlueVoyant Share: Facebook Twitter LinkedIn “Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities. Venomous Bear is another group that was quite active in October. This threat group (also known as Turla, Snake, Uroboros) is an advanced, Russia-based adversary that typically targets foreign governments, defense technologies, and education sectors. Their first sighting involved the use of a Remote Access Trojan (RAT) named Reductor. This malware allowed attackers to take full control over the victim system while also making modifications to browser configurations. These modifications act like a tracking mechanism for TLS traffic. It is not yet known what this information will be used for. In mid-October a campaign was observed where Venomous Bear appears to be using Iranian cyber-espionage tools and masquerading as attackers from the Islamic Republic. The current campaign has used tools from the Iranian APT known as Helix Kitten (APT34) to successfully attack organizations in at least 20 different countries over the last 18 months, according to British security officials. Researchers do not believe the two groups are colluding, but rather, it appears that Venomous Bear infiltrated Helix Kitten’s infrastructure. According to information provided by the NSA and GCHQ, The Russian group was also able to access the networks of existing Helix Kitten victims and even access the code needed to build its own “Iranian” hacking tools. Share: Facebook Twitter LinkedIn Related reading Ransomware Why Are the Consequences of Ransomware Attacks Rarely Fully Understood? May 24, 2022 According to BlueVoyant’s ransomware research, unsuspecting victims suffer the consequences, such as layoffs, medical treatment delays, travel… Read more Ransomware From Ransomware to the U.K.’s Cybersecurity Strategy May 20, 2022 In the past couple of years, ransomware attacks have doubled and – in some instances – quadrupled in frequency, as noted in BlueVoyant’s Ransomware… Read more Microsoft Security BlueVoyant Awarded L4 Cloud Security Rockstar Team from Microsoft Private Security Community May 17, 2022 This week, Caleb Freitas and Mona Ghadiri received the L4 Cloud Security Rockstar Team award on behalf of BlueVoyant. Read more
Ransomware Why Are the Consequences of Ransomware Attacks Rarely Fully Understood? May 24, 2022 According to BlueVoyant’s ransomware research, unsuspecting victims suffer the consequences, such as layoffs, medical treatment delays, travel… Read more
Ransomware From Ransomware to the U.K.’s Cybersecurity Strategy May 20, 2022 In the past couple of years, ransomware attacks have doubled and – in some instances – quadrupled in frequency, as noted in BlueVoyant’s Ransomware… Read more
Microsoft Security BlueVoyant Awarded L4 Cloud Security Rockstar Team from Microsoft Private Security Community May 17, 2022 This week, Caleb Freitas and Mona Ghadiri received the L4 Cloud Security Rockstar Team award on behalf of BlueVoyant. Read more
