Venomous Bear

Threat Actor updated 4 months ago (2024-05-18T00:17:31.708Z)

Download STIX

Preview STIX

Venomous Bear, also known as Turla, Urobouros, Snake, and other names, is a threat actor group attributed to Center 16 of the Federal Security Service (FSB) of the Russian Federation. The group has been active since at least 2004, targeting diplomatic and government organizations, as well as private businesses in various regions including the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations. Their activities have included cyberespionage and the deployment of ransomware, with notable incidents such as a damaging hack of Germany’s Foreign Ministry in 2017. Recently, Venomous Bear has focused its efforts on the Information Technology industry, specifically targeting Dragos. They have utilized a malware known as "Snake" or "Urobouros," which was identified in a search of information associated with computers constituting the Snake Malware Network. In addition to this, they have also employed a novel backdoor in their attacks named "TinyTurla-NG," which has been used against several non-governmental organizations across Poland between December and late January. Despite the long-standing attribution of certain campaigns to Venomous Bear, recent research suggests that some operations previously connected to the group were actually conducted by an entirely separate entity named "Tomiris." This revelation underscores the complexity and evolving nature of the threat landscape. Moreover, it highlights the need for continuous vigilance and the development of robust cybersecurity strategies to mitigate the risks posed by these sophisticated threat actors.

Description last updated: 2024-05-18T00:15:43.623Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Turla	6	Turla, a threat actor linked to Russia, is known for its sophisticated cyber-espionage activities. It has been associated with numerous high-profile attacks, employing innovative techniques and malware to infiltrate targets and execute actions with malicious intent. According to MITRE ATT&CK and MIT
Snake	5	Snake, also known as EKANS, is a threat actor first identified by Dragos on January 6, 2020. This malicious entity is notorious for its deployment of ransomware and keyloggers, primarily targeting business networks. The Snake ransomware variant has been linked to Iran and exhibits an industrial focu
Uroburos	5	Uroburos, also known as Snake, Turla, Pensive Ursa, and Venomous Bear, is a sophisticated malware linked to the Russian Federal Security Service (FSB). The development of this malicious software began in late 2003, with its operations traced back to at least 2004. Uroburos is part of a broader arsen
Waterbug	3	Waterbug, also known as Turla, Venomous Bear, and other aliases, is a cyberespionage group closely affiliated with the FSB Russian intelligence agency. This threat actor has been active since at least 2004, targeting government entities, intelligence agencies, educational institutions, research faci

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Apt

Backdoor

Crowdstrike

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
TinyTurla	Unspecified	2	TinyTurla is a form of malware, malicious software designed to infiltrate and damage computer systems without the user's knowledge. It can enter systems via suspicious downloads, emails, or websites, and once inside, it has the potential to steal personal information, disrupt operations, or hold dat
Kazuar	Unspecified	2	Kazuar is a sophisticated multiplatform trojan horse malware, linked to the Russian-based threat group Turla (also known as Pensive Ursa, Uroburos, Snake), which has been operating since at least 2004. This group, believed to be connected to the Russian Federal Security Service (FSB), utilizes an ar

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Krypton	Unspecified	2	Krypton, also known as Secret Blizzard or UAC-0003, is a significant threat actor that has been associated with Russia's Federal Security Service (FSB). This Advanced Persistent Threat (APT) group has been active since at least 2004, targeting diplomatic and government organizations as well as priva

Source Document References

Information about the Venomous Bear Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	4 months ago	Turla APT used two new backdoors to infiltrate a European ministry of foreign affairs
CERT-EU	7 months ago	Alternative cyber defense techniques urged by ex-NSA director
DARKReading	7 months ago	Russian APT Turla Wields Novel Backdoor Malware Against Polish NGOs
Securityaffairs	7 months ago	Turla APT uses new TinyTurla-NG backdoor to spy on Polish NGOs
DARKReading	10 months ago	Upgraded Kazuar Backdoor Offers Stealthy Power
CERT-EU	a year ago	CrowdStrike Achieves 100% Across the Board in MITRE Engenuity ATT&CK®
CrowdStrike	a year ago	CrowdStrike Scores 100% in SE Labs 2023 Q2 EAS Test \| CrowdStrike
CERT-EU	a year ago	Cyber Attacks by Non-State Actors Continue Astride in Europe
BankInfoSecurity	a year ago	GoldenJackal APT Targeting South Asian Government Agencies
MITRE	2 years ago	TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines
CERT-EU	a year ago	Russian Hackers Tomiris Targeting Central Asia for Intelligence Gathering
CERT-EU	a year ago	Tangled Up: 'Tomiris' APT Uses Turla Malware, Confusing Researchers
CERT-EU	a year ago	Russian Hackers Tomiris Targeting Central Asia for Intelligence Gathering \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker – National Cyber Security Consulting
CERT-EU	a year ago	U.S. Government Neutralizes Russia's Most Sophisticated Snake Cyber Espionage Tool
CERT-EU	a year ago	FBI dismantles 'Snake' malware network created by Russian spies
CERT-EU	a year ago	Operation MEDUSA Brings Down ‘Snake’ - Russia’s Cyberespionage Malware
CERT-EU	a year ago	The Snake, The FBI, And Center 16: Why The Takedown Of A ‘Most Sophisticated Cyber-Espionage Tool’ Is Important – Analysis
CERT-EU	a year ago	Neutralisation par le gouvernement américain de Snake une redoutable cybermenace russe
CERT-EU	a year ago	Anomali Cyber Watch: Lancefly APT Adopts Alternatives to Phishing, BPFdoor Removed Hardcoded Indicators, FBI Ordered Russian Malware to Self-Destruct