The Russia-backed group responsible for the SolarWinds attack, known as Cloaked Ursa or Nobelium/APT29, has shifted its tactics and is now targeting foreign diplomats working at embassies in Ukraine. Instead of using traditional political lures, the group is employing more personalized approaches to entice victims into clicking on malicious links.
Researchers from Palo Alto Networks' Unit 42 have been monitoring the activities of Cloaked Ursa and discovered that the initial lure in the campaign involved a legitimate flyer advertising the sale of a used BMW sedan in Kyiv. The flyer, which was originally shared by a diplomat within the Polish Ministry of Foreign Affairs, caught the attention of potential victims, particularly new arrivals to the region.
Exploiting this opportunity, Cloaked Ursa created a counterfeit version of the flyer and sent it to multiple diplomatic missions as a bait for their malware campaign. The malicious message contained a link that promised additional photos of the car, but instead, it executed malware in the background when clicked.
The malware payload used by Cloaked Ursa is JavaScript-based and provides the attackers with a backdoor into the victim's system, enabling them to load further malicious code through a command-and-control connection.
The group meticulously compiled its target list, using publicly available embassy email addresses for 80% of the victims and unpublished email addresses for the remaining 20%. This deliberate selection aimed to maximize their access to desired networks.
While the researchers observed the campaign being conducted against 22 out of the 80 foreign missions in Ukraine, they suspect that the actual number of targets is higher. The extensive scope of the attacks is remarkable for operations that are typically secretive and narrowly focused.
In a strategic shift, Cloaked Ursa has moved away from using job-related topics as bait and instead crafted lures that appeal to recipients' personal interests and desires. This change aims to increase the campaign's success rate by compromising not only the initial targets but also others within the same organization, extending its reach.
The researchers noted that these unconventional lures have broad applicability across the diplomatic community and are more likely to be forwarded to other individuals within and outside the organization.
Cloaked Ursa, also known as Nobelium/APT29, is a state-sponsored group associated with Russia's Foreign Intelligence Service (SVR). The group gained notoriety for the SolarWinds attack, which involved a backdoor discovered in December 2020 and affected approximately 18,000 organizations through infected software updates.
Since then, the group has remained active, targeting foreign ministries, diplomats, and the US government, exhibiting sophistication in both tactics and custom malware development.
To mitigate APT cyberattacks like those conducted by Cloaked Ursa, the researchers provided some recommendations for diplomatic personnel. They advised administrators to educate newly assigned diplomats about cybersecurity threats specific to the region before their arrival.
Additionally, individuals should exercise caution when downloading files, even from seemingly legitimate sources, and be vigilant about URL redirection when using URL-shortening services, as this could be indicative of a phishing attack. Verifying file extension types and avoiding files with mismatched or obfuscated extensions is crucial to prevent falling victim to phishing attempts.
Finally, the researchers suggested that diplomatic employees disable JavaScript as a preventive measure, rendering JavaScript-based malware unable to execute.
