SpaceBears is a newer participant in the data broker trend, focusing on extortion through leaked data rather than malware. The analysis notes the group uses a public Data Leak Site (DLS) and external file-sharing services to pressure organizations across multiple countries, with relatively limited technical capabilities. Hashtags: #SpaceBears #DataBroker #DataLeakSite #DLS
Keypoints
- SpaceBears is described as a Moscow-based group that claims high-profile attacks but shows no evidence of advanced ransomware techniques.
- The group operates a Data Leak Site (DLS) listing eight victim organizations across the US, Portugal, Canada, Germany, Norway, Morocco, and Singapore.
- Victims span sectors including manufacturing, small technology solutions, and healthcare.
- Leaked data is hosted on external file-sharing services rather than on SpaceBears’ own servers, leading to rapid deletion of files.
- The group extorts by threatening disclosure and offers a decryption tool after payment, while instructing on how to prevent future attacks.
- There are indications of limited technical capabilities, suggesting that even small threats can escalate if data is exfiltrated and exposed widely.
- Mitigation emphasizes data protection: classification, encryption, access control, network segmentation, training, incident response, backups, and third-party risk management.
MITRE Techniques
- [T1567.003] Exfiltration Over Web Service – Leaked data was hosted on external file sharing services (web services) and a Data Leak Site. Quote: “Leaked data was being hosted on a file sharing service.”
Indicators of Compromise
- [URL] Background links and media assets – https://socradar.io/dark-web-profile-spacebears/, https://socradar.io/wp-content/uploads/2024/06/spacebears-dls.png.webp