Phishing with a twist: Cloaked Ursa using novel ways to dupe persons of interest and citizens

Palo Alto Networks released a blog today with findings from its investigation into Cloaked Ursa, Russia’s Foreign Intelligence Service Hackers. Attackers today are more emboldened than ever and this blog discusses 2 such cases – one where a fake flyer was used to dupe diplomats in Ukraine, and another where the group likely used the Turkish Government’s guidelines on the recent earthquake as a phishing lure.

Fake flyer for BMW Sale:

In April 2023, a diplomat from the Polish Ministry of Foreign Affairs sent an email to other embassies advertising the sale of a BMW in Kyiv with a file named “BMW 5 for sale in Kyiv – 2023.docx”. Unit 42 determined that Cloaked Ursa accessed the advertisement through a compromised recipient mail server or other intelligence operation. On May 4th, 2023, they sent modified versions of the flyer to other embassies. These fake flyers used Word documents with the same name but included a link to a legitimate website that Cloaked Ursa co-opted. The website downloaded a malicious payload disguised as photos which were actually .lnk files executing malicious activity. Unit 42 discovered that at least 22 out of over 80 foreign missions in Kyiv were targeted, but the actual number may be higher.

Leveraging Governmental guidelines during the Turkish Earthquake

This campaign likely targeted the Turkish Ministry of Foreign Affairs (MFA) between Feb-March 2023. Unit 42 learnt that the email lure associated with this campaign related to a document purporting to be Turkish MFA guidance on assistance during the recent earthquake in Turkey. While the malicious email lure could not be obtained, Unit 42 discovered the second campaign based on a PDF in a downloaded payload. Cloaked Ursa saw this as a way to ensure a high level of interest from their targets – these recipients would feel a patriotic obligation to support their nation and its victims. In addition, given the timely and momentous nature of the lure, it was almost certainly forwarded by concerned employees to others in their organisation.

Anil Valluri, MD and VP, India and SAARC, Palo Alto Networks, said, “These activities are evidence that malicious groups will look to benefit from adverse political events and natural disasters while exploiting people’s innate desire to help. By targeting persons of interest and those within embassies, state-sponsored attackers gain access to sensitive and critical data. Having robust endpoint security is essential since these threats make their way on to the network via insecure end-user devices. Active attack surface management ensures complete visibility of assets and risks across endpoints, networks, and clouds. Organisations must adopt a Zero Trust approach which creates multiple layers of security to slow down attackers while lowering the risk of lateral movement between networks.”