Ursa

Malware updated 3 months ago (2024-08-14T09:25:42.910Z)

Download STIX

Preview STIX

Ursa is a highly active and motivated malware threat actor, also known as APT28, Fancy Bear, and Sofacy, which has been linked to various high-profile cyberattacks, including the US election interference in 2016 and the NotPetya attacks. The group is known for its use of the HeadLace backdoor malware, which is exclusive to this threat actor. In July 2023, Unit42 reported on Fighting Ursa's phishing scheme targeting diplomats through a used car sale lure, distributing the HeadLace backdoor malware. This tactic aligns with previously documented campaigns by Fighting Ursa and other Russian threat actors. The Hyperledger Foundation's Ursa project, unrelated to the malware, involves post-quantum cryptography in the production of open-source software for blockchain. Meanwhile, the Ursa Major company, based in Colorado, focuses on 3D rocket engine printing. Established in Youngstown, Ohio, in 2021 through a $3 million contract from America Makes, Ursa Major's Advanced Manufacturing Lab aims to boost U.S. manufacturing competitiveness through the adoption of additive manufacturing, also known as 3D printing. In terms of funding, Ursa Major recently announced that it received an additional $1.2 million from America Makes to transition its additive manufacturing of rocket engine hardware prototypes to production qualification hardware. This follows their earlier work producing thrust chambers for the vacuum variant of their Hadley liquid rocket engine. These developments represent significant advancements in additive manufacturing techniques for solid rocket motor production, positioning Ursa Major at the forefront of this innovative field.

Description last updated: 2024-08-14T08:42:20.496Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
APT28 is a possible alias for Ursa. APT28, also known as Fancy Bear and Unit 26165 of the Russian Main Intelligence Directorate, is a threat actor linked to Russia with a history of cyber-espionage activities. The group has been involved in several high-profile attacks, including the hacking of the Democratic National Committee (DNC)	3
Fighting Ursa is a possible alias for Ursa. Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy, is a highly active Russian cyber threat actor with a notorious history of carrying out high-profile attacks. The group has been linked to significant cyber offensives including US election interference in 2016, the NotPetya attacks, the Oly	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Malware

Phishing

Apt

Payload

Windows

Outlook

Vulnerability

Exploit

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Uroburos Malware is associated with Ursa. Uroburos, also known as Snake, Turla, Pensive Ursa, and Venomous Bear, is a sophisticated malware linked to the Russian Federal Security Service (FSB). The development of this malicious software began in late 2003, with its operations traced back to at least 2004. Uroburos is part of a broader arsen	Unspecified	2
The Kazuar Malware is associated with Ursa. Kazuar is a sophisticated multiplatform trojan horse malware that has been associated with the Russian-based threat group Turla, also known as Pensive Ursa, Uroburos, or Snake. This group, believed to be linked to the Russian Federal Security Service (FSB), has been operating since at least 2004 and	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Cloaked Ursa Threat Actor is associated with Ursa. Cloaked Ursa, also known as APT29, BlueBravo, Midnight Blizzard, and formerly Nobelium, is a Russian threat actor believed to be associated with Russia's Foreign Intelligence Service (SVR). The group has been active in conducting cyber-espionage attacks against various diplomatic entities throughout	Unspecified	4
The APT29 Threat Actor is associated with Ursa. APT29, also known as Midnight Blizzard and linked to Russia's Foreign Intelligence Service (SVR), is a notorious threat actor that has been implicated in several high-profile cyberattacks. The group has demonstrated sophisticated capabilities, exploiting vulnerabilities such as the WinRAR 0day flaw	Unspecified	3
The Cozy Bear Threat Actor is associated with Ursa. Cozy Bear, also known as APT29 and Midnight Blizzard, is a threat actor believed to be linked to the Russian government. This entity has been behind numerous cyberattacks with malicious intent, targeting various organizations and systems worldwide. The first significant intrusion attributed to Cozy	Unspecified	3
The Pensive Ursa Threat Actor is associated with Ursa. Pensive Ursa, also known as Turla, Uroburos, Venomous Bear, and Waterbug, is a Russian-based advanced persistent threat (APT) group that has been operating since at least 2004. The group, linked to the Russian Federal Security Service (FSB), is renowned for its sophisticated cyber-espionage activiti	Unspecified	2
The Turla Threat Actor is associated with Ursa. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (	Unspecified	2

Source Document References

Information about the Ursa Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	4 months ago	Russia's 'Fighting Ursa' APT Uses Car Ads to Install HeadLace Malware
Unit42	4 months ago	Fighting Ursa Luring Targets With Car for Sale
BankInfoSecurity	5 months ago	Brazil's Climb Onto the World Stage Sparks Cyber Risks
CERT-EU	2 years ago	Linux SSH servers targeted by novel ShellBot malware variants
CERT-EU	2 years ago	More than $1.6M stolen in General Bytes hack
CERT-EU	a year ago	A path forward in meeting the emerging cyber threats to the blockchain
CERT-EU	a year ago	Carahsoft to Provide Public Sector Access to Resiliant Identity & Cybersecurity Products; Steve Jacyna Quoted - ExecutiveBiz
CERT-EU	a year ago	Defense Watch: SEC Cyber Rule, USCG UAS RFP, Frigate Test Site - Defense Daily
CERT-EU	2 years ago	Ukraine targeted by novel malware attacks
CERT-EU	2 years ago	Over 90K credentials stolen by Mispadu trojan in LatAm attacks
CERT-EU	a year ago	Analysis: Russian hackers using Outlook zero-day in campaign targeting NATO nations \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
Unit42	a year ago	Fighting Ursa Aka APT28: Illuminating a Covert Campaign
CERT-EU	a year ago	Over the Kazuar’s nest: Cracking down on a freshly hatched backdoor used by Pensive Ursa - Cyber Security Review
Unit42	a year ago	Over the Kazuar’s Nest: Cracking Down on a Freshly Hatched Backdoor Used by Pensive Ursa (Aka Turla)
CERT-EU	a year ago	SolarWinds Attackers Dangle BMWs to Spy on Diplomats
CERT-EU	a year ago	Russians try to exploit sale of a BMW 5 to hack diplomats in Ukraine: Report \| IT World Canada News
InfoSecurity-magazine	a year ago	Diplomats in Ukraine Targeted by “Staggering” BMW Phishing Campaign
Unit42	a year ago	Diplomats Beware: Cloaked Ursa Phishing With a Twist
Unit42	2 years ago	Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine