Turla, KRYPTON, Uroboros, Snake, Waterbug, IRON HUNTER
Venomous Bear often adopts novel and sophisticated techniques to maintain operational security, including the use of a distinctive command-and-control network highly likely to be supported by Signals Intelligence (SIGINT) assets.
Initial network intrusion processes conducted by the adversary can also be characterized as particularly considerate of operational security concerns; their extensive use of Strategic Web Compromise (SWC) techniques are combined with several checks to identify, prioritize, and deploy malware only to specific targets. In cases where spearphishing techniques are used to deploy malware, the adversary will often deploy lightweight reconnaissance tooling to verify targeting before upgrading hosts to more sophisticated malware capability at a later time.
Their operations have been supported by a large number of custom-developed malware families uniquely attributable to the adversary, including Snake, Chinch, Skipper, Kazuar, and Gayzer. A number of tools employed by the adversary have broadly been derived from two main development code bases, although a diversified series of malware families have been developed and deployed since approximately 2015, likely to reduce their exposure to detection and attribution.
In 2019, Venomous Bear has continued to diversify their toolset, including the deployment of a new dropper and a malicious PowerShell script to deploy and install elements of its unique Chinch framework, and the introduction of .NET- and Python-based tooling in SWC operations. Continued targeting of Eastern European government institutions has also been identified, supported by the development of new variants of the Kazuar malware.
- NGOs and Nonprofits