WhiteBear

WhiteBear is a threat actor that has been associated with the Turla group, also known as Snake, Venomous Bear, Uroburos, and WhiteBear. This association was established through strong links identified between a Crutch dropper from 2016 and Gazer, a second-stage backdoor used by Turla in 2016-2017. WhiteBear's activities included scripting spearphish attachments, following up on initial WhiteAtlas scripting development and deployment efforts, and sharing infrastructure with KopiLuwak while deploying unusual .js scripting. The encryption implemented in the WhiteBear orchestrator is notably complex, highlighting the sophistication of this threat actor. From a targeting perspective, there was a close alignment between the activities of WhiteBear and KopiLuwak, with shared known compromised infrastructure such as soligro[.]com. This domain was used in another Turla operation (KopiLuwak) and served as the C2 server for the WhiteBear transport library. The targets of WhiteBear over a couple of years were related to government foreign affairs, international organizations, and later, defense organizations. Its activities stretched across the globe, indicating a broad scope of operations. Despite its prolific and longstanding nature, WhiteBear activity reliant on this toolset seemed to have diminished in June 2017. However, it is important to note that the WhiteBear C2 servers are consistent with long-standing Turla infrastructure management practices, meaning the backdoors callback to a mix of compromised servers and hijacked destination satellite IP hosts. As such, Turla remains one of the most advanced and researched Advanced Persistent Threats (APTs), with the potential for continued or resurgent activity.