Voodoo Bear

Threat Actor updated 7 months ago (2024-05-04T19:16:33.471Z)

Download STIX

Preview STIX

VOODOO BEAR, also known as Sandworm, Seashell Blizzard, and other names such as Iridium, Iron Viking, Telebots, and APT44, is a highly advanced threat actor with a suspected nexus to the Russian Federation. First identified in January 2018, this group has been active since 2000 and operates under the control of Military Unit 74455, a cyber warfare unit of the Russian military intelligence service (GRU). The group has been attributed to several destructive operations, including the infamous Kyivstar attack, and uses sophisticated malware tools like a wiper called PassKillDisk. The group's activities have been notably aggressive against Ukraine, where it has targeted critical infrastructure during Russia's ongoing conflict with the country. These include two significant disruptions to the Ukrainian electricity grid in 2015 and 2016. Western intelligence agencies link VOODOO BEAR directly to Russia's GRU military intelligence agency, indicating state sponsorship behind these cyber-attacks. The group has also used hacktivist fronts like Solntsepek for their operations, adding another layer of complexity to their tactics. Despite the serious threat posed by VOODOO BEAR, cybersecurity firms like CrowdStrike offer solutions to incorporate intelligence on such threat actors to enhance organizational security. Further information on these services can be found on CrowdStrike's Falcon Intelligence product page. The identification and tracking of VOODOO BEAR underline the critical need for robust cybersecurity measures in the face of state-sponsored cyber threats.

Description last updated: 2024-05-04T18:01:38.857Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Sandworm is a possible alias for Voodoo Bear. Sandworm, a threat actor linked to Russia, has been identified as the primary cyber attack unit supporting Russian military activities in Ukraine. This group is notorious for its sophisticated and disruptive cyber attacks, including the compromise of 11 Ukrainian telecommunications providers which c	4
Telebots is a possible alias for Voodoo Bear. TeleBots, a notorious threat actor group also known as Sandworm, BlackEnergy, Iron Viking, Voodoo Bear, and Seashell Blizzard, has been identified as operating under the control of Unit 74455 of the Russian GRU's Main Center for Special Technologies (GTsST). Active since 2000, the group is recognize	3
Seashell Blizzard is a possible alias for Voodoo Bear. Seashell Blizzard, also known as Iridium, Sandworm, Voodoo Bear, and APT44, is a state-sponsored threat actor group affiliated with the Russian military intelligence service (GRU). Microsoft has identified this group as distinct from other Advanced Persistent Threat (APT) groups operating under the	3
IRON VIKING is a possible alias for Voodoo Bear. Iron Viking, a threat actor group also known as Sandworm, Telebots, Voodoo Bear, and other names, has been active since 2000. This group operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST). Iron Viking is notorious for its destructive cyber-espi	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ukraine

Wiper

Russia

russian

Apt

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Voodoo Bear Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	7 months ago	Russia’s Sandworm Upgraded to APT44 by Google's Mandiant
Securityaffairs	7 months ago	Previously unknown Kapeka backdoor linked to Sandworm APT
Securityaffairs	a year ago	Russia-linked APT Sandworm was inside Ukraine telecoms giant Kyivstar for months
CERT-EU	a year ago	Russia's Sandworm blamed for Kyivstar telecom cyberattack
CERT-EU	a year ago	Denmark Hit With Largest Cyberattack on Record
BankInfoSecurity	a year ago	Denmark Hit With Largest Cyberattack on Record
Securityaffairs	a year ago	Russian Sandworm disrupts power in Ukraine with a new OT attack
CERT-EU	a year ago	Russian Sandworm Hackers Caused Power Outage in October 2022
BankInfoSecurity	a year ago	Ukrainian Telcos Targeted by Suspected Sandworm Hackers
Securityaffairs	a year ago	Russia-linked Sandworm APT compromised 11 Ukrainian telecommunications providers
CERT-EU	a year ago	Ukraine Cyber Defenders Prepare for Winter
BankInfoSecurity	a year ago	Ukraine Cyber Defenders Prepare for Winter
Securityaffairs	a year ago	Russia-linked hackers target Ukrainian military with Infamous Chisel Android malware
MITRE	2 years ago	VOODOO BEAR \| Threat Actor Profile \| CrowdStrike
InfoSecurity-magazine	2 years ago	Google Report Reveals Russia's Elaborate Cyber Strategy in Ukraine
CERT-EU	2 years ago	Cyber security week in review: March 17, 2023
CERT-EU	2 years ago	APT Profile: Sandworm - SOCRadar® Cyber Intelligence Inc.
CERT-EU	2 years ago	Leaked Documents Detail Russia’s Cyberwarfare Tools, Including for OT Attacks
Securityaffairs	2 years ago	Leaked documents from Russian firm NTC Vulkan show Sandworm cyberwarfare arsenal
CERT-EU	2 years ago	Hacker Group Names Are Now Absurdly Out of Control \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker – National Cyber Security Consulting