Fighting Ursa

Threat Actor Profile Updated a month ago

Download STIX

Preview STIX

Fighting Ursa, also known as APT28 or Fancy Bear, is a malicious software (malware) group notorious for conducting attacks on behalf of Russia's military. The group has been involved in numerous cyber campaigns exploiting various vulnerabilities, with the most recent being the Microsoft Outlook vulnerability, tracked as CVE-2023-23397. This specific exploit allows attackers to steal a user's password hash by coercing the victim's Microsoft Outlook client to connect to an attacker-controlled server without user interaction. Unit 42 researchers have identified three distinct campaigns associated with this vulnerability, demonstrating Fighting Ursa's continued exploitation attempts against unpatched or improperly configured systems. Before Russia’s illegal invasion of Ukraine in 2022, Fighting Ursa was primarily recognized for supporting Russian information warfare campaigns, such as creating counter-narratives around Russian Olympic doping and subverting investigations into the poisoning of Russian nationals in England in 2018. However, their activity escalated significantly in September and October, with a spate of attacks exploiting the aforementioned Outlook vulnerability. These campaigns targeted at least 30 organizations across 14 countries, including NATO and a NATO Rapid Deployable Corps, demonstrating the group's extensive reach and persistent threat. Despite the public outing of their techniques and the attribution of the exploit to them, Fighting Ursa continued to use the same tactics in their second and third campaigns. According to Unit 42, this suggests that the access and intelligence generated by these operations outweighed the ramifications of public discovery. On at least one occasion, they directly targeted a NATO Rapid Deployable Corps, underscoring their boldness and disregard for international norms. The tech company tracking these activities under the moniker ITG05 warns organizations of the persistent threat posed by Fighting Ursa and emphasizes the importance of maintaining updated and properly configured systems.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Ursa	2	URSA is a harmful malware, typically delivered as an archive attachment to phishing emails. It operates as a backdoor into the infected system, enabling unauthorized access and exploitation. The malware has been particularly active in Latin America, where it's known as the Mispadu banking trojan. Si
APT28	2	APT28, also known as Fancy Bear, is a threat actor linked to Russia and has been involved in numerous cyber espionage campaigns. The group is notorious for its sophisticated tactics, techniques, and procedures (TTPs). Recently, NATO and the EU formally condemned APT28's activities, acknowledging the
Sednit	1	Sednit, also known as APT28, Fancy Bear, Strontium/Forest Blizzard, Pawn Storm, Sofacy, and BlueDelta, is a threat actor associated with Russia's military intelligence. Active since at least 2007, the group has targeted governments, militaries, and security organizations worldwide. ESET has shed lig
Forest Blizzard	1	Forest Blizzard, also known as APT28, Fancy Bear, and Strontium, is a threat actor linked to the Russian General Staff Main Intelligence Directorate (GRU) and the 85th Main Special Service Center (GTsSS). The group has been involved in persistent espionage campaigns against European countries, which
Itg05	1	ITG05, also known by various aliases including APT28, Fancy Bear, and Forest Blizzard, is a sophisticated malware that has been targeting non-governmental organizations (NGOs) through phishing lures. This harmful software, designed to exploit and damage computer systems, infects systems primarily th
Blue Athena	1	None

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Vulnerability

Outlook

Exploit

Microsoft

Apt

State Sponso...

Russia

Nato

Malware

Zero Day

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
CVE-2023-233397	Unspecified	1	None

Source Document References

Information about the Fighting Ursa Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
Securityaffairs	3 months ago	NATO and the EU formally condemned APT28 cyber espionage
CERT-EU	4 months ago	APT28 Hacker Group Targeting Europe, Americas, Asia in Widespread Phishing Scheme \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	8 months ago	Cyber Security Today, Dec. 8, 2023 – Ransomware is increasingly impacting OT systems, and more \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
DARKReading	8 months ago	Russian Espionage Group Hammers Zero-Click Microsoft Outlook Bug
CERT-EU	8 months ago	Stronger action against North Korean cyber threats pushed by US, South Korea, Japan
CERT-EU	8 months ago	Analysis: Russian hackers using Outlook zero-day in campaign targeting NATO nations \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
Securityaffairs	8 months ago	Russia's APT8 exploited Outlook 0day to target EU NATO members
CERT-EU	8 months ago	Lazarus sub-group targets South Korean defense firms
CERT-EU	8 months ago	Cyber Security Week in Review: December 8, 2023
CERT-EU	8 months ago	Top Russian military hackers target NATO using Microsoft Outlook exploits \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
Unit42	8 months ago	Fighting Ursa Aka APT28: Illuminating a Covert Campaign