Cloaked Ursa

Threat Actor updated 2 months ago (2024-08-14T09:46:30.555Z)

Download STIX

Preview STIX

Cloaked Ursa, also known as APT29, BlueBravo, Midnight Blizzard, and formerly Nobelium, is a Russian threat actor believed to be associated with Russia's Foreign Intelligence Service (SVR). The group has been active in conducting cyber-espionage attacks against various diplomatic entities throughout Eastern Europe. Their sophisticated techniques include using popular cloud storage platforms such as Dropbox for Command and Control (C2) servers to stealthily establish communications with infected hosts, thereby evading detection. In July 2023, Unit42 reported on Cloaked Ursa's unique approach of repurposing a BMW car advertisement to target diplomats working at embassies in Ukraine. This campaign, dubbed the "BMW Campaign," began in May 2023 and targeted Western diplomats from countries including the U.S., Canada, Spain, and the Netherlands. The attackers co-opted a legitimate site to download a malicious payload when users interacted with the lure, demonstrating their ability to exploit everyday online activities for malicious purposes. The group's tactics have shown a significant degree of code overlap with other known Cloaked Ursa malware, indicating a consistent development approach. Furthermore, the group's actions are part of a broader trend of threat actors employing creative lures to entice victims into engaging with malicious content. As such, Cloaked Ursa continues to pose a substantial threat to diplomatic missions and other sensitive targets, necessitating ongoing vigilance and robust cybersecurity measures.

Description last updated: 2024-08-14T08:41:54.083Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
APT29 is a possible alias for Cloaked Ursa. APT29, also known as Cozy Bear, Midnight Blizzard, Nobelium, and the Dukes, is a Russia-linked threat actor associated with SVR. This group is notorious for its sophisticated cyber espionage tactics, techniques, and procedures. APT29 often uses The Onion Router (TOR) network, leased and compromised	5
Cozy Bear is a possible alias for Cloaked Ursa. Cozy Bear, also known as APT29 and associated with names like Midnight Blizzard, Nobelium, and The Dukes, is a threat actor believed to be linked with the Russian state. This group has been involved in numerous cyber espionage activities, demonstrating proficiency across multiple operating systems a	4
NOBELIUM is a possible alias for Cloaked Ursa. Nobelium, a threat actor linked to Russia, has been identified as a significant cybersecurity concern due to its persistent and sophisticated cyber-espionage campaigns. Known also by various other names such as APT29, Cozy Bear, Midnight Blizzard, and The Dukes, Nobelium is believed to be operating	2
Bluebravo is a possible alias for Cloaked Ursa. BlueBravo, also known as APT29, Nobelium, Cozy Bear, Midnight Blizzard, and The Dukes, is a threat actor group linked to Russia that has been implicated in multiple high-profile cyberattacks. Recently, TeamViewer discovered a breach in its corporate network, with reports attributing the intrusion to	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Malware

Espionage

Phishing

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Ursa Malware is associated with Cloaked Ursa. Ursa is a highly active and motivated malware threat actor, also known as APT28, Fancy Bear, and Sofacy, which has been linked to various high-profile cyberattacks, including the US election interference in 2016 and the NotPetya attacks. The group is known for its use of the HeadLace backdoor malwar	Unspecified	4

Source Document References

Information about the Cloaked Ursa Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	2 months ago	Russia's 'Fighting Ursa' APT Uses Car Ads to Install HeadLace Malware
Securityaffairs	2 months ago	Russia-linked APT used a car for sale as a phishing lure to target diplomats with HeadLace malware
Unit42	3 months ago	Fighting Ursa Luring Targets With Car for Sale
Unit42	8 months ago	Intruders in the Library: Exploring DLL Hijacking
CERT-EU	a year ago	Russian APT BlueBravo targets diplomatic entities with GraphicalProton backdoor \| IT Security News
CERT-EU	a year ago	Cyber Security Week in Review: July 28, 2023
CERT-EU	a year ago	BlueBravo Deploys GraphicalProton Backdoor Against European Diplomatic Entities
Securityaffairs	a year ago	Russian APT BlueBravo targets diplomatic entities with GraphicalProton backdoor
CERT-EU	a year ago	Crimeware tool WormGPT: AI for BEC attacks
CERT-EU	a year ago	Novel Microsoft-signed rootkit leveraged in Chinese gaming attacks
CERT-EU	a year ago	Importance of Section 702, encryption emphasized by NSA, Cyber Command nominee
CERT-EU	a year ago	International Diplomats Targeted by Russian Hacking Group APT29
CERT-EU	a year ago	SolarWinds Attackers Dangle BMWs to Spy on Diplomats
CERT-EU	a year ago	Russians try to exploit sale of a BMW 5 to hack diplomats in Ukraine: Report \| IT World Canada News
BankInfoSecurity	a year ago	Fake Used-Car Flyer for 2011 BMW Phishes Diplomats in Kyiv
InfoSecurity-magazine	a year ago	Diplomats in Ukraine Targeted by “Staggering” BMW Phishing Campaign
Unit42	a year ago	Diplomats Beware: Cloaked Ursa Phishing With a Twist