Fancy Bear and Venomous Bear: What’s the difference between the two threat groups?

• Fancy Bear, also known as the Sofacy threat group, is a Kremlin-based cyber-espionage group.
• Venomous Bear, better known as Turla threat group is a Russian-based cyber-espionage group.

Fancy Bear threat group

Fancy Bear, also known as the Sofacy threat group, is a Kremlin-based cyber-espionage group. The threat group’s other names include APT28, Strontium, Tsar Team, and Pawn Storm. Fancy Bear primarily targets government entities, defense, energy, and media sectors.

Sofacy’s major attacks

Sofacy aka Fancy Bear is said to be responsible for various attacks on the following:

• The German Parliament (2014)
• TV5Monde, the French Television Station (2015)
• The White House (2015)
• NATO (2015)
• The Democratic National Committee (2016)
• IAAF (International Association of Athletes Federation) (2017)
• The International Olympic Committee (2018) and more.

Venomous Bear threat group

Venomous Bear, better known as Turla threat group is a Russian-based cyber-espionage group. This threat group is also known as Snake, Group 88, Waterbug, WRAITH, Uroburos, Pfinet, TAG_0530, KRYPTON, Hippo Team, Pacifier APT, Popeye, SIG23, and Iron Hunter. Venomous Bear primarily targets the government, militaries, and embassies.

Turla’s major attacks

• The US Central Command (2008)
• The office of the prime minister of a former Soviet Union member country (2012)
• A Swiss technology company RUAG (2014)
• G20 attendees including politicians, policy makers, and journalists in April 2017.
• Germany’s government computer network (March 2018).
• Germany’s Federal Foreign Office and the Federal College of Public Administration.

Malicious tools used by the groups

Fancy Bear widely uses malware such as ADVSTORESHELL, CHOPSTICK, JHUHUGIT, and XTunnel. The group has also developed several custom malware such as Foozer, WinIDS, X-Agent, X-Tunnel, and DownRange.

On the other hand, the Turla APT group has been known to use malicious tools such as Gazer, KopiLuwak, ICEDCOFFEE, Carbon backdoor, Moonlight Maze, Mosquito backdoor, Mimikatz, Outlook backdoor, and LightNeuron backdoor.

While both the threat groups are cyber-espionage groups primarily targeting government entities, their attack vectors, targets, and the malware used differs