A Russia-backed group known as Cloaked Ursa, or Nobelium/APT29, has been identified as targeting foreign diplomats working at embassies in Ukraine. The group, responsible for the infamous SolarWinds attack, is using personalized lures to entice diplomats to click on malicious links.
Researchers from Palo Alto Networks’ Unit 42 have been tracking the activities of Cloaked Ursa and discovered that the group is using a new tactic to target its victims. Instead of using traditional political themes, the group is taking advantage of personal interests to increase the chances of success. In one instance, the group repurposed a legitimate flyer for the sale of a used BMW sedan in Kyiv, which was spread to various embassies by a diplomat within the Polish Ministry of Foreign Affairs. The flyer caught the attention of newcomers to the region, making them more vulnerable to clicking on the malicious link.
Cloaked Ursa modified the flyer and included a malicious link, claiming that it contained additional photos of the car. However, clicking on the link would execute malware in the background, giving the attackers access to the victim’s system. The malware used in the campaign is JavaScript-based and serves as a backdoor for espionage purposes. It also allows the group to load additional malicious code through a command-and-control connection.
The researchers noted that Cloaked Ursa took careful measures to generate its target list. They used publicly available embassy email addresses for 80% of the victims and unpublished email addresses for the remaining 20%. By doing so, the group aimed to maximize their access to desired networks. So far, the researchers have observed the group targeting 22 out of 80 foreign missions in Ukraine, but they believe that the actual number of targets is likely higher.
This shift in lure tactics demonstrates a strategic pivot by Cloaked Ursa. In the past, the group would use subject matter related to the victims’ jobs as bait. However, the new approach is designed to entice recipients based on their personal needs and wants, rather than their routine duties. This change in tactic is likely intended to increase the success rate of the campaign and compromise not only the initial targets but also others within the same organization.
Cloaked Ursa, also known as Nobelium/APT29, is a state-sponsored group associated with Russia’s Foreign Intelligence Service (SVR). The group gained significant attention for its involvement in the SolarWinds attack, which affected thousands of organizations worldwide through infected software updates. Since then, the group has remained active, targeting foreign ministries, diplomats, and the US government. Their tactics show a high level of sophistication and custom malware development.
To mitigate the risk of APT cyberattacks like those carried out by Cloaked Ursa, researchers advise administrators to train diplomats about cybersecurity threats before they arrive in their assigned regions. It is crucial for government and corporate employees to exercise caution when downloading files, even from seemingly legitimate sources. Observing URL redirection and scrutinizing email attachments are also essential to avoid falling victim to phishing attacks. Furthermore, disabling JavaScript can prevent the execution of malware based on this programming language.
As Cloaked Ursa continues its campaign of targeted attacks on foreign diplomats in Ukraine, it is essential for individuals and organizations to remain vigilant and adopt comprehensive security measures to protect against sophisticated cyber threats.