The PolySwarm Blog

Executive Summary

This Threat Bulletin is part of PolySwarm’s 2024 Recap series. This report provides highlights of activity perpetrated by Russia-based threat actors in 2024.

Key Takeaways

• This report provides highlights of activity perpetrated by Russia-based threat actors in 2024.
• Threat actors featured in this report include Cozy Bear, VooDoo Bear, Fancy Bear, Primitive Bear, Venomous Bear, and Gossamer Bear.
• PolySwarm tracked malware associated with multiple Russia nexus threat actors in 2024. 

2024 Russia Nexus Threat Actor Activity 

Cozy Bear

Cozy Bear, also known as APT29, Nobelium, Dukes, Iron Hemlock, Grizzly Steppe, Cloaked Ursa, and TA421, is a Russia nexus threat actor group active since at least 2008. Cozy Bear focuses on espionage activities and typically targets Western governments, agencies, think tanks, and government contractors. A component of Cozy Bear was responsible for the SolarWinds compromise in late 2020. Industry researchers have linked Cozy Bear to Russia’s Foreign Intelligence Service (SVR).

Activity

• In early 2024, Microsoft disclosed Cozy Bear had breached its systems and accessed email accounts associated with senior executives. Microsoft later provided updates acknowledging Cozy Bear also stole source code and customer secrets. 
• In June 2024, Cozy Bear reportedly breached TeamViewer’s IT environment. 
• In August 2024, industry researchers reported that Cozy Bear targeted Mongolian government websites in an attempt to hijack the mobile devices of website visitors. 
• In October 2024, US agencies issued a joint cybersecurity advisory warning of Cozy Bear’s aggressive targeting of U.S. critical infrastructure for the purposes of espionage and follow on operations. 
• In October 2024, Cozy Bear was observed targeting over 100 organizations globally in a phishing campaign using Microsoft and AWS-themed lures. 

VooDoo Bear

VooDoo Bear, also known as Sandworm, Black Energy, Electrum, Iron Viking, Telebots, and Quedagh, is a Russia nexus APT group active since at least 2009. Industry researchers have linked VooDoo Bear to GRU Unit 74455.

Activity

• In March 2024, VooDoo Bear was observed using AcidPour, a variant of AcidRain wiper, to target entities in Ukraine. 

Fancy Bear

Fancy Bear, also known as APT28, Pawnstorm, SnakeMackerel, Strontium, Sednit, Sofacy, and Tsar Team, is a Russia nexus APT group associated with Unit 26165 of the Russian intelligence entity known as the GRU. The group has been active since at least 2007 and targets government, military, and security entities. 

Activity

• In January 2024, a court-authorized operation led to a takedown of a large network of SOHO routers used by Fancy Bear for operations. 
• In early 2024, industry researchers reported that Fancy Bear was observed targeting entities in Ukraine with three new malware families: OCEANMAP, MASEPIE, and STEELHOOK. While the attacks happened in late 2023, the activity was not made public until 2024. 
• In 2024, industry researchers reported on Fancy Bear exploiting CVE-2022-38028 using a post-compromise tool known as GooseEgg. The activity likely began as early as 2019.
• In May 2024, Fancy Bear targeted entities in Europe using HeadLace malware and credential harvesting.  
• In June 2024, Poland state authorities accused Russian threat actors of attacking the website for the public television network TVP, making it unstable for a portion of the Euro 2024 broadcast. Industry researchers later linked the attack to Fancy Bear. 
• In November 2024, Fancy Bear was observed using credential stuffing on wireless networks in close proximity to an infected target. This new attack method was dubbed the Nearest Neighbor attack by Volexity.

Primitive Bear

Primitive Bear, also known as Armageddon, Gamaredon, Actinium, Iron Tilden, Shuckworm, and Blue Alpha, is a Russia nexus threat actor group active since at least 2013. Primitive Bear primarily used off the shelf tools in early campaigns but began to develop their own malware in recent years. The Ukrainian government has linked Primitive Bear to officers stationed in Crimea associated with Russia’s Federal Security Service (FSB). 

Activity

• In 2024, Primitive Bear was observed using two new Android spyware families, BoneSpy and PlainGnome, to target entities in former Soviet states. The activity has likely been ongoing since at least 2021. 
• In late 2024, Primitive Bear was observed abusing Cloudflare services to spy on entities in Ukraine. 

Venomous Bear

Venomous Bear, also known as Snake, Turla, Oroburos, Waterbug, Krypton, Hippo Team, Iron Hunter, and Blue Python, is a Russia nexus threat actor group known to target Eastern Bloc nations, as well as other targets worldwide. The group has been active since at least 2004 and may have been active as early as the 1990s. Industry researchers assess Venomous Bear is affiliated with the FSB.  

Activity

• In May 2024, Venomous Bear was observed targeting a European ministry of foreign affairs and its diplomatic missions in the Middle East using a new toolset, dubbed the Lunar toolset. The toolset, which has likely been in use since at least 2020, includes two backdoors, LunarWeb and LunarMail, and a loader dubbed LunarLoader.

Gossamer Bear

Gossamer Bear, also known as UNC4057, Star Blizzard, Blue Charlie, TA446, Cold River, and Callisto, is a Russia nexus threat actor group. ColdRiver has been active since at least 2014 and is known to target NGOs, former military and intelligence officers, academic institutions, and NATO governments. The group relies heavily on phishing attacks, and their attacks appear to be espionage-driven.

Activity

• In early 2024, Gossamer Bear was observed using Spica backdoor in an espionage campaign. Spica, which is written in Rust, is the first custom malware developed by Gossamer Bear.
• In Q3 2024, the U.S. Department of Justice and Microsoft’s Digital Crimes Unit disrupted a Gossamer Bear spearphishing campaign. Over 107 domains were seized during this disruption. 

Other Activity

• In December 2024, the UK government warned that Russian threat actors have orchestrated attacks against media, telecommunications, political and democratic institutions, and critical infrastructure entities in the UK. The UK government noted they expect intensified activity by Russia nexus threat actors targeting the UK to occur in the near future. 

Tracking Russia Nexus Threat Actor Activity With PolySwarm

PolySwarm tracked malware associated with the following Russia nexus threat actors in 2024:

VooDoo Bear

6a8824048417abe156a16455b8e29170f8347312894fde2aabe644c4995d7728 

Fancy Bear

18f891a3737bb53cd1ab451e2140654a376a43b2d75f6695f3133d47a41952b6

24fd571600dcc00bf2bb8577c7e4fd67275f7d19d852b909395bebcbb1274e04

19d0c55ac466e4188c4370e204808ca0bc02bba480ec641da8190cb8aee92bdc

593583b312bf48b7748f4372e6f4a560fd38e969399cf2a96798e2594a517bf4

c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5

6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f

41a9784f8787ed86f1e5d20f9895059dac7a030d8d6e426b9ddcaf547c3393aa

7d51e5cc51c43da5deae5fbc2dce9b85c0656c465bb25ab6bd063a503c1806a9 

Venomous Bear

d2fad779289732d1edf932b62278eb3090eb814d624f2e0a4fbbc613495c55e8

Gossamer Bear

37c52481711631a5c73a6341bd8bea302ad57f02199db7624b580058547fb5a9

You can use the following CLI command to search for all samples associated with a particular threat actor in our portal:

$ polyswarm link list -t ThreatActorName

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.