The PolySwarm Blog

Executive Summary

This Threat Bulletin is part of PolySwarm’s 2022 Recap series. This report provides highlights of activity perpetrated by Russia-based threat actors in 2022. Russian APT activity in 2022 was heavily focused on targeting Ukraine for espionage and sabotage due to the ongoing Russia-Ukraine conflict. While the Russian cyber threat landscape includes a wide variety of ransomware and cybercrime threat actors, we have limited the scope of this report to state-sponsored threat actor activity.

Key Takeaways

• This report highlights activity perpetrated by Russia-based APT threat actors in 2022.
• Threat actors featured in this report include Cozy Bear, Fancy Bear, Energetic Bear, Venomous Bear, Primitive Bear, VooDoo Bear, Ember Bear, Saint Bear, UAC-0041, UAC-0088, and UAC-0098.
• PolySwarm tracked malware associated with multiple Russia nexus threat actors in 2022. 

2022 Russia Nexus Threat Actor Activity

Cozy Bear
Cozy Bear, also known as APT29, Nobelium, Dukes, Iron Hemlock, Grizzly Steppe, Cloaked Ursa, and TA421, is a Russia nexus threat actor group active since at least 2008. Cozy Bear focuses on espionage activities and typically targets Western governments, agencies, think tanks, and government contractors. A component of Cozy Bear was responsible for the SolarWinds compromise in late 2020. Industry researchers have linked Cozy Bear to Russia’s Foreign Intelligence Service (SVR).

Activity

• In early 2022, Cozy Bear was observed using Beatdrop and Boommic malware families. They were also abusing and retooling the legitimate application Trello. Cozy Bear targeted a diplomatic entity in this campaign. 
• In February 2022, Cozy Bear targeted diplomatic entities in at least two countries in a phishing campaign. 
• In March 2022, Cozy Bear used a natural disaster-themed lure to target an unnamed entity using CosmicDuke, a combination of backdoor and infostealer. 
• In mid-2022, Cozy Bear was found leveraging DropBox and Google Drive in a malware campaign targeting an unnamed European NATO country. 
• In August 2022, Cozy Bear used the CosmicDuke malware family to target an unspecified entity. 
• At different points throughout 2022, Cozy Bear has observed targeting entities in Japan, US, UK, Germany, South Korea, and India. 

Fancy Bear
Fancy Bear, also known as APT28, Pawnstorm, SnakeMackerel, Strontium, Sednit, Sofacy, and Tsar Team, is a Russia nexus APT group associated with Unit 26165 of the Russian intelligence entity known as the GRU. The group has been active since at least 2007 and targets government, military, and security entities.

Activity

• In 2022, Fancy Bear was observed leveraging the Follina vulnerability. 
• Throughout 2022, Fancy Bear launched multiple credential phishing campaigns targeting users in Ukraine. 
• In mid-2022, Fancy Bear targeted users in Ukraine with malware meant to steal browser credentials. The threat actors used lures with a nuclear war theme in this campaign. 
• In late 2022, Fancy Bear was reportedly discovered inside a US satellite network. The group likely infiltrated the satellite network months ago. 

Energetic Bear
Energetic Bear, also known as Berserk Bear, Allanite, Castle, Dymalloy, Dragonfly, Havex, and Blue Kraken, is a Russia nexus threat actor group. Energetic Bear primarily targets the energy vertical and conducts intelligence-gathering operations. Industry researchers have linked Energetic Bear with FSB Unit 71330.

Activity

• According to industry researchers, Energetic Bear has engaged in data theft targeting entities in Ukraine in 2022. 

Venomous Bear
Venomous Bear, also known as Snake, Turla, Oroburos, Waterbug, Krypton, Hippo Team, Iron Hunter, and Blue Python, is a Russia nexus threat actor group known to target Eastern Bloc nations, as well as other targets worldwide. Venomous Bear is believed to be responsible for a 2008 attack on US Central Command. Industry researchers assess Venomous Bear is affiliated with the FSB.

Activity

• In 2022, Venomous Bear was observed targeting defense and cybersecurity entities in the Baltic region using malicious documents. 
• In mid-2022, Venomous Bear conducted a campaign leveraging malicious Android apps. In the campaign, they used a domain spoofing the Ukrainian Azov Regiment. 

Primitive Bear
Primitive Bear, also known as Armageddon, Gamaredon, Actinium, Iron Tilden, Shuckworm, and Blue Alpha, is a Russia nexus threat actor group active since at least 2013. Primitive Bear primarily used off-the-shelf tools in early campaigns but began to develop their own malware in recent years. The Ukrainian government has linked Primitive Bear to officers stationed in Crimea associated with Russia’s Federal Security Service (FSB).

Activity

• Throughout 2022, Primitive Bear targeted government, military, NGO, judiciary, law enforcement, and nonprofit entities in Ukraine in various campaigns. 
• In 2022, a campaign tentatively attributed to Primitive Bear used PseudoSteel malware to target unspecified entities in Ukraine. 
• In January 2022, Primitive Bear targeted Ukrainian entities in an espionage campaign. The threat actors leveraged eight custom binaries in the campaign. 
• In early 2022, Primitive Bear was observed using Pterodo (Pteranodon), a backdoor RAT, to target entities in Ukraine. The group used at least four different variants of Pterodo. 
• In mid-2022, Primitive Bear has observed targeting entities in Ukraine with RAR archives distributing malicious LNK files. 
• In late 2022, Primitive Bear was discovered leveraging legitimate Microsoft Office templates in remote template injection attacks, 

VooDoo Bear
VooDoo Bear, also known as Sandworm, Black Energy, Electrum, Iron Viking, Telebots, and Quedagh, is a Russia nexus APT group active since at least 2009. Industry researchers have linked VooDoo Bear to GRU Unit 74455.

Activity

• In February 2022, VooDoo Bear’s Cyclops Blink botnet was discovered by US and UK agencies. Cyclops Blink activity began as early as mid-2019 and continued into 2022. 
• In mid-2022, VooDoo Bear was observed leveraging the Follina vulnerability in a campaign using compromised government accounts to target media entities in Ukraine. 
• In early 2022, VooDoo Bear used HermeticWiper, also known as FoxBlade, to target entities in Ukraine. HermeticWiper consisted of three components: an MBR wiper, a worm-like feature, and a decoy ransomware. 
• In March 2022, VooDoo Bear used CaddyWiper to target government and critical infrastructure entities in Ukraine. 
• In early 2022, VooDoo Bear used Industroyer2 to target the Ukrainian power grid. 
• In mid-2022, UAC-0113, a group linked to VooDoo Bear by CERT-UA, was observed masquerading as telecommunications providers and targeting Ukrainians. They were observed leveraging  DarkCrystal RAT in this campaign.
• In 2022, VooDoo Bear was observed using a new ArguePatch variant to target Ukrainian assets. 

Ember Bear
Ember Bear, also known as UAC-0056, Lorec53, Lori Bear, DEV-0586, and Bleeding Bear, is a Russia nexus threat actor group known to target government and military entities in Eastern Europe for espionage purposes. They have been active since at least 2021. They are known to weaponize data and access obtained during attacks and leverage them for information operations. While no definitive proof has linked them to a state-sponsored entity, industry researchers assess Ember Bear’s TTPs are consistent with GRU cyber activity.

Activity

• In January 2022, WhisperGate wiper targeted multiple entities in Ukraine. CrowdStrilke attributed this campaign to Ember Bear. 
• In February 2022, Ember Bear targeted an energy entity in Ukraine using spearphishing. 

Saint Bear
Saint Bear, also known as UNC2589, TA471, and Nascent Ursa, is a Russia nexus threat actor group that primarily targets state organizations in Ukraine. Saint Bear is known to use GraphSteel and GrimPlant. Saint Bear may overlap with Ember Bear.

Activity

• In early 2022, Saint Bear was observed targeting organizations in Ukraine with Cobalt Strike, Grimplant, and GraphSteel. Saint Bear used a malicious binary masquerading as Ukrainian language translation software in the campaign. 
• In early 2022, Saint Bear targeted multiple entities in Ukraine, including the private TV channel ICTV. In this campaign, the threat actors leveraged macro-embedded malicious Excel documents and the Elephant Framework.

Other Groups
The groups noted below are presumably Russia nexus threat actor groups and are known to target entities in Ukraine. Little is known about these groups. They are potentially part of other more well-known Russia nexus threat actor groups.

Activity

• In 2022, a campaign leveraging MarsStealer targeted entities in Ukraine. Industry researchers attributed this activity to UAC-0041.  
• In March 2022, UAC-0088 targeted an entity in Ukraine with DoubleZero, a wiper malware. This sabotage campaign was reminiscent of other wiper malware campaigns perpetrated by Russian threat actors.
• In early 2022, UAC-0098 used IcedID and Zimbra exploits in a phishing campaign targeting government entities in Ukraine. 

Tracking Russia Nexus Threat Actor Activity With PolySwarm

PolySwarm tracked malware associated with the following Russia nexus APT threat actors in 2022:

• Primitive Bear
• VooDoo Bear
• Cozy Bear
• Ember Bear
• UAC-0098
  
  
  Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
  
  Contact us at hivemind@polyswarm.io for more information and IOCs of related samples in our data set.| Check out our blog | Subscribe to our reports