Threat Actor Profile
Voodoo Bear
Voodoo Bear, also known by aliases such as Sandworm, Telebots, and BlackEnergy, is a highly advanced Russian state-sponsored threat actor. Known to be affiliated with the GRU's Unit 74455, Voodoo Bear specializes in cyber espionage, sabotage, and influence operations. Active since at least 2008, the group primarily targets critical infrastructure, government agencies, and global enterprises using destructive malware and sophisticated techniques.
Threat Actor Profile
Voodoo Bear
Country of Origin
Voodoo Bear is widely attributed to Russia, specifically linked to the GRU (Main Intelligence Directorate), Russia’s military intelligence service. It operates in direct alignment with Russian geopolitical and military objectives.
Members
Details about individual members are scarce, given the highly secretive nature of GRU operations. The group acts as part of a larger coordinated effort within state-sponsored cyber campaigns, utilizing aliases such as Sandworm, Iridium, and BlackEnergy to mask its activities and identity.
Leadership
The precise leadership of Voodoo Bear remains unknown. Intelligence links its operations to Unit 74455 of the GRU, also called GTsST (Main Center for Special Technologies), highlighting its organized and state-backed structure.
Voodoo Bear TTPs
Tactics
The overarching goals of Voodoo Bear include espionage, destabilization of targeted nations, sabotage via critical infrastructure attacks, and conducting influence operations. Their highly destructive capabilities differentiate them from other Advanced Persistent Threats (APTs).
Techniques
To achieve their objectives, Voodoo Bear leverages tools like wipers (HermeticWiper, CaddyWiper), spearphishing campaigns, exploitation of zero-day vulnerabilities, and botnets such as Cyclops Blink. They also engage in masquerading techniques, targeting victims via trojanized or spoofed software.
Procedures
Key procedures carried out by the group include gaining initial access through phishing emails or fake updates, exploiting unpatched vulnerabilities in systems, and employing malware like NotPetya and Industroyer2 to disrupt networks. They follow up with lateral movement, credential harvesting, and long-term persistence through backdoors like DarkCrystal RAT.
Want to Shut Down Threats Before They Start?
Notable Cyberattacks
-
2008 Georgia Cyberattacks: First observed activity targeting government and infrastructure during the Russia-Georgia conflict.
-
2015/2016 Ukrainian Power Grid Attacks: Disrupted power grids using malware like BlackEnergy.
-
2017 NotPetya Attack: Global ransomware-style campaign attributed to Voodoo Bear, causing billions in damage.
-
2022 Ukraine Conflict: Deployment of destructive tools like HermeticWiper to aid Russian military operations.
Law Enforcement & Arrests
While no direct arrests tied to Voodoo Bear members have been reported, international cybersecurity agencies and governments remain vigilant in issuing advisories and sharing critical threat intelligence to disrupt the group’s activities.
How to Defend Against Voodoo Bear
To defend against Voodoo Bear, multi-factor authentication (MFA) is essential for limiting access through compromised credentials.
Patch Management: Regularly update software to mitigate zero-day vulnerabilities
Huntress tools, such as advanced threat detection and response platforms, can help identify and neutralize malware and other IOCs linked to Voodoo Bear effectively.
References
Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
