Fighting Ursa

Threat Actor updated 25 days ago (2024-08-14T09:38:54.448Z)

Download STIX

Preview STIX

Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy, is a highly active Russian cyber threat actor with a notorious history of carrying out high-profile attacks. The group has been linked to significant cyber offensives including US election interference in 2016, the NotPetya attacks, the Olympic Destroyer effort, and more. Their tactics are consistent across campaigns, and they exclusively use the HeadLace backdoor, which further validates their attribution. One of their key strategies involves disguising malicious files by exploiting Windows' default setting of hiding file extensions, a tactic adopted from other Russian threat actors. In March 2024, Fighting Ursa launched a campaign that leveraged a unique approach: a used car sale phishing scheme aimed at diplomats. This scheme involved the distribution of the HeadLace backdoor malware via a fake car advertisement, demonstrating the group's innovative methods of attack. The attribution of this campaign to Fighting Ursa was made with medium to high confidence by cybersecurity experts. Earlier in May, the threat actor exploited Webhook.site, a legitimate service, to initiate the infection chain by hosting a malicious HTML page. Fighting Ursa continues to be a persistent threat, particularly due to its innovative use of legitimate web services in its attack infrastructure. Cybersecurity experts predict that the group will maintain this strategy in future campaigns. The group's consistent tactics, motivation, and the exclusive use of the HeadLace backdoor indicate that Fighting Ursa remains a significant threat to global cybersecurity.

Description last updated: 2024-08-14T08:41:40.291Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
APT28	5	APT28, also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, is a threat actor linked to Russia that has been active since at least 2007. The group has targeted governments, militaries, and security organizations worldwide, including the German Social Democratic Party
Ursa	3	Ursa is a highly active and motivated malware threat actor, also known as APT28, Fancy Bear, and Sofacy, which has been linked to various high-profile cyberattacks, including the US election interference in 2016 and the NotPetya attacks. The group is known for its use of the HeadLace backdoor malwar

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Vulnerability

Exploit

Malware

Outlook

Backdoor

Microsoft

Apt

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

ID	Type	Votes	Profile Description
CVE-2023-233397	Unspecified	2	None

Source Document References

Information about the Fighting Ursa Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	a month ago	Russia's 'Fighting Ursa' APT Uses Car Ads to Install HeadLace Malware
Securityaffairs	a month ago	Security Affairs newsletter Round 483 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	a month ago	Russia-linked APT used a car for sale as a phishing lure to target diplomats with HeadLace malware
Unit42	a month ago	Fighting Ursa Luring Targets With Car for Sale
Securityaffairs	4 months ago	NATO and the EU formally condemned APT28 cyber espionage
CERT-EU	6 months ago	APT28 Hacker Group Targeting Europe, Americas, Asia in Widespread Phishing Scheme \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	9 months ago	Cyber Security Today, Dec. 8, 2023 – Ransomware is increasingly impacting OT systems, and more \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
DARKReading	9 months ago	Russian Espionage Group Hammers Zero-Click Microsoft Outlook Bug
CERT-EU	9 months ago	Stronger action against North Korean cyber threats pushed by US, South Korea, Japan
CERT-EU	9 months ago	Analysis: Russian hackers using Outlook zero-day in campaign targeting NATO nations \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
Securityaffairs	9 months ago	Russia's APT8 exploited Outlook 0day to target EU NATO members
CERT-EU	9 months ago	Lazarus sub-group targets South Korean defense firms
CERT-EU	9 months ago	Cyber Security Week in Review: December 8, 2023
CERT-EU	9 months ago	Top Russian military hackers target NATO using Microsoft Outlook exploits \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
Unit42	9 months ago	Fighting Ursa Aka APT28: Illuminating a Covert Campaign