SYMBOLCOMMON_NAMEaka. SYNONYMS

TeamSpy Crew  (Back to overview)

aka: TeamSpy, Team Bear, Berserk Bear, Anger Bear, IRON LYRIC

Researchers have uncovered a long-term cyber-espionage campaign that used a combination of legitimate software packages and commodity malware tools to target a variety of heavy industry, government intelligence agencies and political activists. Known as the TeamSpy crew because of its affinity for using the legitimate TeamViewer application as part of its toolset, the attackers may have been active for as long as 10 years, researchers say. The attack appears to be a years-long espionage campaign, but experts who have analyzed the victim profile, malware components and command-and-control infrastructure say that it’s not entirely clear what kind of data the attackers are going after. What is clear, though, is that the attackers have been at this for a long time and that they have specific people in mind as targets. Researchers at the CrySyS Lab in Hungary were alerted by the Hungarian National Security Authority to an attack against a high-profile target in the country and began looking into the campaign. They quickly discovered that some of the infrastructure being used in the attack had been in use for some time and that the target they were investigating was by no means the only one.


Associated Families

There are currently no families associated with this actor.


References
2019-07-24SecureworksCTU Research Team
@online{team:20190724:resurgent:287b932, author = {CTU Research Team}, title = {{Resurgent Iron Liberty Targeting Energy Sector}}, date = {2019-07-24}, organization = {Secureworks}, url = {https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector}, language = {English}, urldate = {2019-12-06} } Resurgent Iron Liberty Targeting Energy Sector
Energetic Bear TeamSpy Crew
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:team:9602101, author = {Cyber Operations Tracker}, title = {{Team Spy Crew}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/team-spy-crew}, language = {English}, urldate = {2019-12-20} } Team Spy Crew
TeamSpy Crew
2013-03-20Kaspersky LabsGReAT
@techreport{great:20130320:teamspy:10e8000, author = {GReAT}, title = {{The ‘TeamSpy’ Story -Abusing TeamViewer in Cyberespionage Campaigns}}, date = {2013-03-20}, institution = {Kaspersky Labs}, url = {https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20134928/theteamspystory_final_t2.pdf}, language = {English}, urldate = {2020-01-08} } The ‘TeamSpy’ Story -Abusing TeamViewer in Cyberespionage Campaigns
TeamSpy Crew
2013-03-20CrySyS LabCrySyS Lab
@techreport{lab:20130320:teamspy:d2d8b88, author = {CrySyS Lab}, title = {{TeamSpy –Obshie manevri. Ispolzovat' tolko s razreshenija S-a.}}, date = {2013-03-20}, institution = {CrySyS Lab}, url = {https://www.crysys.hu/publications/files/teamspy.pdf}, language = {English}, urldate = {2020-01-08} } TeamSpy –Obshie manevri. Ispolzovat' tolko s razreshenija S-a.
TeamSpy Crew
2013-03-20Kaspersky LabsGReAT
@online{great:20130320:teamspy:2e6f353, author = {GReAT}, title = {{The TeamSpy Crew Attacks – Abusing TeamViewer for Cyberespionage}}, date = {2013-03-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/}, language = {English}, urldate = {2019-12-20} } The TeamSpy Crew Attacks – Abusing TeamViewer for Cyberespionage
TeamSpy Crew
2013-03-20Dennis Fisher
@online{fisher:20130320:researchers:dcff6dc, author = {Dennis Fisher}, title = {{Researchers Uncover ‘TeamSpy’ Attack Campaign Against Government, Research Targets}}, date = {2013-03-20}, url = {https://threatpost.com/researchers-uncover-teamspy-attack-campaign-targeting-government-research-targets-032013/77646/}, language = {English}, urldate = {2019-11-20} } Researchers Uncover ‘TeamSpy’ Attack Campaign Against Government, Research Targets
TeamSpy Crew

Credits: MISP Project