Cloaked Ursa

Threat Actor updated 3 months ago (2024-08-14T09:46:30.555Z)

Download STIX

Preview STIX

Cloaked Ursa, also known as APT29, BlueBravo, Midnight Blizzard, and formerly Nobelium, is a Russian threat actor believed to be associated with Russia's Foreign Intelligence Service (SVR). The group has been active in conducting cyber-espionage attacks against various diplomatic entities throughout Eastern Europe. Their sophisticated techniques include using popular cloud storage platforms such as Dropbox for Command and Control (C2) servers to stealthily establish communications with infected hosts, thereby evading detection. In July 2023, Unit42 reported on Cloaked Ursa's unique approach of repurposing a BMW car advertisement to target diplomats working at embassies in Ukraine. This campaign, dubbed the "BMW Campaign," began in May 2023 and targeted Western diplomats from countries including the U.S., Canada, Spain, and the Netherlands. The attackers co-opted a legitimate site to download a malicious payload when users interacted with the lure, demonstrating their ability to exploit everyday online activities for malicious purposes. The group's tactics have shown a significant degree of code overlap with other known Cloaked Ursa malware, indicating a consistent development approach. Furthermore, the group's actions are part of a broader trend of threat actors employing creative lures to entice victims into engaging with malicious content. As such, Cloaked Ursa continues to pose a substantial threat to diplomatic missions and other sensitive targets, necessitating ongoing vigilance and robust cybersecurity measures.

Description last updated: 2024-08-14T08:41:54.083Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
APT29 is a possible alias for Cloaked Ursa. APT29, also known as Midnight Blizzard and linked to Russia's Foreign Intelligence Service (SVR), is a notorious threat actor that has been implicated in several high-profile cyberattacks. The group has demonstrated sophisticated capabilities, exploiting vulnerabilities such as the WinRAR 0day flaw	5
Cozy Bear is a possible alias for Cloaked Ursa. Cozy Bear, also known as APT29 and Midnight Blizzard, is a threat actor believed to be linked to the Russian government. This entity has been behind numerous cyberattacks with malicious intent, targeting various organizations and systems worldwide. The first significant intrusion attributed to Cozy	4
NOBELIUM is a possible alias for Cloaked Ursa. Nobelium, a Russia-linked Advanced Persistent Threat (APT) group, also known under various aliases such as APT29, SVR group, BlueBravo, Cozy Bear, Midnight Blizzard, and The Dukes, has been actively involved in large-scale cyber espionage campaigns. The threat actor has been targeting French diploma	2
Bluebravo is a possible alias for Cloaked Ursa. BlueBravo, a threat actor linked to the Russia-based Advanced Persistent Threat (APT) group APT29, has been identified as a significant cyber threat. Also known by various other names such as SVR Group, Cozy Bear, Nobelium, Midnight Blizzard, and The Dukes, this entity is suspected of conducting sev	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Malware

Espionage

Phishing

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Ursa Malware is associated with Cloaked Ursa. Ursa is a highly active and motivated malware threat actor, also known as APT28, Fancy Bear, and Sofacy, which has been linked to various high-profile cyberattacks, including the US election interference in 2016 and the NotPetya attacks. The group is known for its use of the HeadLace backdoor malwar	Unspecified	4

Source Document References

Information about the Cloaked Ursa Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	4 months ago	Russia's 'Fighting Ursa' APT Uses Car Ads to Install HeadLace Malware
Securityaffairs	4 months ago	Russia-linked APT used a car for sale as a phishing lure to target diplomats with HeadLace malware
Unit42	4 months ago	Fighting Ursa Luring Targets With Car for Sale
Unit42	9 months ago	Intruders in the Library: Exploring DLL Hijacking
CERT-EU	a year ago	Russian APT BlueBravo targets diplomatic entities with GraphicalProton backdoor \| IT Security News
CERT-EU	a year ago	Cyber Security Week in Review: July 28, 2023
CERT-EU	a year ago	BlueBravo Deploys GraphicalProton Backdoor Against European Diplomatic Entities
Securityaffairs	a year ago	Russian APT BlueBravo targets diplomatic entities with GraphicalProton backdoor
CERT-EU	a year ago	Crimeware tool WormGPT: AI for BEC attacks
CERT-EU	a year ago	Novel Microsoft-signed rootkit leveraged in Chinese gaming attacks
CERT-EU	a year ago	Importance of Section 702, encryption emphasized by NSA, Cyber Command nominee
CERT-EU	a year ago	International Diplomats Targeted by Russian Hacking Group APT29
CERT-EU	a year ago	SolarWinds Attackers Dangle BMWs to Spy on Diplomats
CERT-EU	a year ago	Russians try to exploit sale of a BMW 5 to hack diplomats in Ukraine: Report \| IT World Canada News
BankInfoSecurity	a year ago	Fake Used-Car Flyer for 2011 BMW Phishes Diplomats in Kyiv
InfoSecurity-magazine	a year ago	Diplomats in Ukraine Targeted by “Staggering” BMW Phishing Campaign
Unit42	a year ago	Diplomats Beware: Cloaked Ursa Phishing With a Twist