Frozenbarents

Threat Actor updated 5 months ago (2024-05-04T21:17:46.848Z)

Download STIX

Preview STIX

Frozenbarents, also known as Sandworm or Voodoo Bear, is a threat actor linked to Russia's GRU military intelligence agency. Noted for its versatility, the group has executed a variety of cyber-attacks against Ukraine and NATO countries, with a particular emphasis on critical infrastructure, utilities, public services, and the media. The group's activities have been tracked by Google's Threat Analysis Group (TAG), which observed Frozenbarents impersonating a Ukrainian drone training school in April. The threat actor used an email lure themed as an invitation to join the drone school to deliver the Rhadamanthys infostealer, a type of malware designed to steal information from infected systems. This email contained a link to an anonymous file-sharing service, fex[.]net, which delivered a benign decoy PDF document with a drone operator training curriculum and a malicious ZIP file exploiting CVE-2023-38831. The use of commercially available infostealers, typically employed by cybercrime actors, is unusual for Frozenbarents. Frozenbarents' campaigns have targeted various sectors, including the energy sector and ongoing hack-and-leak operations. One phishing campaign attributed to the group involved a decoy message about training drone operators that led to a packed version of the Rhadamanthys information-stealing malware. The TAG team has reported that the group's activities are part of a broader pattern of Russian and Belarusian cyber activities focused on targeting Ukraine, with other threat actors such as Frozenlake (aka APT28) and Pushcha (a Belarusian threat actor) also involved.

Description last updated: 2024-05-04T20:27:57.635Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Sandworm is a possible alias for Frozenbarents. Sandworm, also known as APT44, is a Russia-linked threat actor that has been implicated in several major cyberattacks. This group has been particularly active against targets in Ukraine and Poland, with significant operations including the compromise of 11 Ukrainian telecommunications providers, whi	4

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Phishing

Google

Decoy

Infostealer

Ukraine

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Frozenbarents Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	a year ago	APT29 group exploited WinRAR 0day in attacks against embassies
CERT-EU	a year ago	Russian and Chinese nation-state actors target recently patched WinRAR zero-day
CERT-EU	a year ago	Government-backed actors exploiting WinRAR vulnerability
Securityaffairs	a year ago	Multiple APT groups exploited WinRAR flaw CVE-2023-38831
BankInfoSecurity	a year ago	Nation-State Hackers Exploiting WinRAR, Google Warns
CERT-EU	a year ago	Russian hackers offered phony drone training to exploit WinRAR vulnerability
CERT-EU	a year ago	Cyber security week in review: April 21, 2023
InfoSecurity-magazine	2 years ago	Google Report Reveals Russia's Elaborate Cyber Strategy in Ukraine
CERT-EU	a year ago	Eastern Europe's energy industry targeted by Russian hackers