Fighting Ursa

Threat Actor updated 23 days ago (2024-11-29T14:36:24.714Z)

Download STIX

Preview STIX

Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy, is a highly active Russian cyber threat actor with a notorious history of carrying out high-profile attacks. The group has been linked to significant cyber offensives including US election interference in 2016, the NotPetya attacks, the Olympic Destroyer effort, and more. Their tactics are consistent across campaigns, and they exclusively use the HeadLace backdoor, which further validates their attribution. One of their key strategies involves disguising malicious files by exploiting Windows' default setting of hiding file extensions, a tactic adopted from other Russian threat actors. In March 2024, Fighting Ursa launched a campaign that leveraged a unique approach: a used car sale phishing scheme aimed at diplomats. This scheme involved the distribution of the HeadLace backdoor malware via a fake car advertisement, demonstrating the group's innovative methods of attack. The attribution of this campaign to Fighting Ursa was made with medium to high confidence by cybersecurity experts. Earlier in May, the threat actor exploited Webhook.site, a legitimate service, to initiate the infection chain by hosting a malicious HTML page. Fighting Ursa continues to be a persistent threat, particularly due to its innovative use of legitimate web services in its attack infrastructure. Cybersecurity experts predict that the group will maintain this strategy in future campaigns. The group's consistent tactics, motivation, and the exclusive use of the HeadLace backdoor indicate that Fighting Ursa remains a significant threat to global cybersecurity.

Description last updated: 2024-08-14T08:41:40.291Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
APT28 is a possible alias for Fighting Ursa. APT28, also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM, is a threat actor linked to Russia. The group has been associated with cyber espionage campaigns across Central Asia and has historically targeted areas of national security, military operations, and geopolitical influ	5
Ursa is a possible alias for Fighting Ursa. Ursa is a highly active and motivated malware threat actor, also known as APT28, Fancy Bear, and Sofacy, which has been linked to various high-profile cyberattacks, including the US election interference in 2016 and the NotPetya attacks. The group is known for its use of the HeadLace backdoor malwar	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Vulnerability

Exploit

Malware

Outlook

Backdoor

Microsoft

Apt

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The vulnerability CVE-2023-233397 is associated with Fighting Ursa.	Unspecified	2

Source Document References

Information about the Fighting Ursa Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	5 months ago	Russia's 'Fighting Ursa' APT Uses Car Ads to Install HeadLace Malware
Securityaffairs	5 months ago	Security Affairs newsletter Round 483 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Russia-linked APT used a car for sale as a phishing lure to target diplomats with HeadLace malware
Unit42	5 months ago	Fighting Ursa Luring Targets With Car for Sale
Securityaffairs	8 months ago	NATO and the EU formally condemned APT28 cyber espionage
CERT-EU	9 months ago	APT28 Hacker Group Targeting Europe, Americas, Asia in Widespread Phishing Scheme \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	a year ago	Cyber Security Today, Dec. 8, 2023 – Ransomware is increasingly impacting OT systems, and more \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
DARKReading	a year ago	Russian Espionage Group Hammers Zero-Click Microsoft Outlook Bug
CERT-EU	a year ago	Stronger action against North Korean cyber threats pushed by US, South Korea, Japan
CERT-EU	a year ago	Analysis: Russian hackers using Outlook zero-day in campaign targeting NATO nations \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
Securityaffairs	a year ago	Russia's APT8 exploited Outlook 0day to target EU NATO members
CERT-EU	a year ago	Lazarus sub-group targets South Korean defense firms
CERT-EU	a year ago	Cyber Security Week in Review: December 8, 2023
CERT-EU	a year ago	Top Russian military hackers target NATO using Microsoft Outlook exploits \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
Unit42	a year ago	Fighting Ursa Aka APT28: Illuminating a Covert Campaign