As the global threat landscape continues to intensify, cybersecurity company Palo Alto Networks threat research arm, Unit 42, has released a blog post with new findings that Russia’s Foreign Intelligence Service hackers, known as Cloaked Ursa, used novel and unconventional lures to target diplomats.
While attacks on diplomatic organisations are common, Cloaked Ursa focuses on the diplomats themselves more than the countries they represent, Unit 42 finds. One particular campaign aimed at infiltrating diplomatic missions within Ukraine through something all recently placed diplomats need a vehicle.
The hackers, known as Cloaked Ursa (aka APT29, UAC-0004, Midnight Blizzard/Nobelium, Cozy Bear) are well known for targeting diplomatic missions globally. Their initial access attempts over the past two years have predominantly used phishing lures with a theme of diplomatic operations such as the following:
- Notes verbale (semiformal government-to-government diplomatic communications)
- Embassies’ operating status updates
- Schedules for diplomats
- Invitations to embassy events
Further key insights included in the blog post include:
- Unit 42 found instances of Cloaked Ursa targeting diplomats by leveraging unconventional lures, including a flyer advertising a BMW for sale.
- Using this campaign, Cloaked Ursa targeted at least 22 of over 80 foreign missions located in Kyiv an astonishing number for a clandestine operation conducted by an advanced persistent threat (APT) that the United States and the United Kingdom publicly attribute to Russia’s Foreign Intelligence Service (SVR).
- Another novel Cloaked Ursa campaign targeted the Turkish Ministry of Foreign Affairs (MFA) earlier in 2023 and involved a document that purported to be Turkish MFA guidance on humanitarian assistance pertaining to a recent devastating earthquake.
- As these lures are broadly applicable across the diplomatic community, they are able to be sent and forwarded to a greater number of targets. Theyre also more likely to be forwarded to others inside of an organisation as well as within the diplomatic community.
According to Unit 42, these unconventional lures are designed to entice the recipient to open an attachment based on their own needs and wants instead of as part of their routine duties.
The lures themselves are broadly applicable across the diplomatic community and thus are able to be sent and forwarded to a greater number of targets. They’re also more likely to be forwarded to others inside of an organisation as well as within the diplomatic community, Unit 42 states.
Overall, the researchers find these factors increase the odds of a successful compromise within targeted organisations. While not likely to fully supplant diplomatic operations-themed lures, these lures focusing on individuals do provide Cloaked Ursa with new opportunities and a broader range of susceptible potential espionage targets.
Palo Alto Networks customers receive protections against the types of threats discussed in this article by products including: Cortex XDR; WildFire; and Cloud-Delivered Security Services for the Next-Generation Firewall, including Advanced URL Filtering and DNS Security.
About Author
