Palo Alto Networks released a blog with findings from its investigation into Cloaked Ursa, Russia’s Foreign Intelligence Service Hackers. Attackers today are more emboldened than ever and this blog discusses 2 such cases – one where a fake flyer was used to dupe diplomats in Ukraine, and another where the group likely used the Turkish Government’s guidelines on the recent earthquake as a phishing lure.
Fake flyer for BMW Sale:
In April 2023, a diplomat from the Polish Ministry of Foreign Affairs sent an email to other embassies advertising the sale of a BMW in Kyiv with a file named “BMW 5 for sale in Kyiv – 2023.docx”. Unit 42 determined that Cloaked Ursa accessed the advertisement through a compromised recipient mail server or other intelligence operation. On May 4th, 2023, they sent modified versions of the flyer to other embassies. These fake flyers used Word documents with the same name but included a link to a legitimate website that Cloaked Ursa co-opted. The website downloaded a malicious payload disguised as photos which were actually .lnk files executing malicious activity. Unit 42 discovered that at least 22 out of over 80 foreign missions in Kyiv were targeted, but the actual number may be higher.
Leveraging Governmental guidelines during the Turkish Earthquake
This campaign likely targeted the Turkish Ministry of Foreign Affairs (MFA) between Feb-March 2023. Unit 42 learnt that the email lure associated with this campaign related to a document purporting to be Turkish MFA guidance on assistance during the recent earthquake in Turkey. While the malicious email lure could not be obtained, Unit 42 discovered the second campaign based on a PDF in a downloaded payload. Cloaked Ursa saw this as a way to ensure a high level of interest from their targets – these recipients would feel a patriotic obligation to support their nation and its victims. In addition, given the timely and momentous nature of the lure, it was almost certainly forwarded by concerned employees to others in their organisation.