Fighting Ursa

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
Fighting Ursa, also known as APT28 or Fancy Bear, is a malicious software (malware) group notorious for conducting attacks on behalf of Russia's military. The group has been involved in numerous cyber campaigns exploiting various vulnerabilities, with the most recent being the Microsoft Outlook vulnerability, tracked as CVE-2023-23397. This specific exploit allows attackers to steal a user's password hash by coercing the victim's Microsoft Outlook client to connect to an attacker-controlled server without user interaction. Unit 42 researchers have identified three distinct campaigns associated with this vulnerability, demonstrating Fighting Ursa's continued exploitation attempts against unpatched or improperly configured systems. Before Russia’s illegal invasion of Ukraine in 2022, Fighting Ursa was primarily recognized for supporting Russian information warfare campaigns, such as creating counter-narratives around Russian Olympic doping and subverting investigations into the poisoning of Russian nationals in England in 2018. However, their activity escalated significantly in September and October, with a spate of attacks exploiting the aforementioned Outlook vulnerability. These campaigns targeted at least 30 organizations across 14 countries, including NATO and a NATO Rapid Deployable Corps, demonstrating the group's extensive reach and persistent threat. Despite the public outing of their techniques and the attribution of the exploit to them, Fighting Ursa continued to use the same tactics in their second and third campaigns. According to Unit 42, this suggests that the access and intelligence generated by these operations outweighed the ramifications of public discovery. On at least one occasion, they directly targeted a NATO Rapid Deployable Corps, underscoring their boldness and disregard for international norms. The tech company tracking these activities under the moniker ITG05 warns organizations of the persistent threat posed by Fighting Ursa and emphasizes the importance of maintaining updated and properly configured systems.
What's your take? (Question 1 of 5)
716a11bb-11ad-4420-bb50-3a9aac4da15f Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Ursa
2
Ursa is a type of malware, specifically known as the Mispadu banking trojan, that has been implicated in various spam campaigns since August. The campaigns have targeted Latin American countries and Portugal, resulting in the exfiltration of over 90,000 bank account credentials across 17,500 website
APT28
2
APT28, also known as "Forest Blizzard," "Fancybear," or "Strontium," is a threat actor linked to the Russian GRU. This group has been involved in various cyber espionage activities targeting multiple countries and organizations. In October 2023, the French National Agency for the Security of Informa
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Vulnerability
Outlook
Exploit
Microsoft
Apt
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Fighting Ursa Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Unit42
6 months ago
Fighting Ursa Aka APT28: Illuminating a Covert Campaign
CERT-EU
6 months ago
Cyber Security Today, Dec. 8, 2023 – Ransomware is increasingly impacting OT systems, and more | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
Securityaffairs
24 days ago
NATO and the EU formally condemned APT28 cyber espionage
CERT-EU
6 months ago
Analysis: Russian hackers using Outlook zero-day in campaign targeting NATO nations | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
DARKReading
6 months ago
Russian Espionage Group Hammers Zero-Click Microsoft Outlook Bug
CERT-EU
6 months ago
Top Russian military hackers target NATO using Microsoft Outlook exploits | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
2 months ago
APT28 Hacker Group Targeting Europe, Americas, Asia in Widespread Phishing Scheme | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
6 months ago
Lazarus sub-group targets South Korean defense firms
CERT-EU
6 months ago
Stronger action against North Korean cyber threats pushed by US, South Korea, Japan
Securityaffairs
6 months ago
Russia's APT8 exploited Outlook 0day to target EU NATO members
CERT-EU
6 months ago
Cyber Security Week in Review: December 8, 2023