The Russia-backed Group Behind SolarWinds Attack Targets Diplomats in Ukraine
Introduction
A Russia-backed group known as Cloaked Ursa or Nobelium/APT29 has been observed targeting foreign diplomats working at embassies in Ukraine with a new and more personal approach. Researchers from Palo Alto Networks’ Unit 42 have identified this group as the one responsible for the infamous SolarWinds attack. Cloaked Ursa typically uses politically related lures to entice victims to click on malicious links, but this recent campaign employed a more unconventional tactic.
The lure and execution
The initial lure used in this campaign was a legitimate flyer for the sale of a used BMW sedan in Kyiv. This flyer was spread to various embassies by a diplomat within the Polish Ministry of Foreign Affairs. The group repurposed the flyer, creating its own illegitimate version and sending it to multiple diplomatic missions two weeks later. The message included a malicious link, inviting targets to click on it for more photos of the car. However, clicking on the link executed a JavaScript-based malware that silently installed a backdoor into the victim’s system, enabling the attackers to load further malicious code through a command-and-control connection.
Target selection and scale
To generate their target list, Cloaked Ursa used publicly available embassy email addresses for about 80% of the victims, while using unpublished email addresses not found on the surface web for the remaining 20%. This calculated approach enabled the group to maximize their access to desired networks. The researchers from Unit 42 observed this campaign being used against 22 out of 80 foreign missions in Ukraine, indicating that the actual number of targets is likely higher. This campaign represents a significant scale for a typically clandestine operation.
Pivoting tactics
The change in lure tactics is a strategic pivot for Cloaked Ursa, moving away from job-related subjects to entice recipients based on their personal needs and wants. By doing so, the group aims to increase the success factor of the campaign, not only compromising the initial target but also extending its reach to other individuals within the same organization and the broader diplomatic community. The lures used in this campaign are widely applicable, making them more likely to be forwarded to others both inside an organization and within the diplomatic community.
Cloaked Ursa and SolarWinds
Cloaked Ursa, also known as Nobelium/APT29, is a state-sponsored group associated with Russia’s Foreign Intelligence Service (SVR). The group gained notoriety for the SolarWinds attack, which involved a backdoor discovered in December 2020 and affected approximately 18,000 organizations through infected software updates. Since then, Cloaked Ursa has remained consistently active, targeting various foreign ministries, diplomats, and the US government. The group exhibits sophistication in tactics and custom malware development, as evidenced by similarities to other known campaigns and code overlap with previously identified malware.
Mitigating APT Cyberattacks on Civil Society
Security Recommendations
In light of these recent attacks, the researchers from Unit 42 offer several recommendations to mitigate the risk of falling prey to APTs like Cloaked Ursa:
1. Cybersecurity training for diplomats: Administrators should provide comprehensive cybersecurity training to newly assigned diplomats before they arrive in their host country. This training should focus specifically on the cybersecurity threats prevalent in the region.
2. Caution with downloads and URL-shortening services: Government and corporate employees should exercise caution when downloading files, even from seemingly legitimate sites. Additionally, they should be vigilant about URL redirection when using URL-shortening services, as it can be indicative of a phishing attack.
3. Verify file extensions: Individuals should carefully examine email attachments and verify file extension types to ensure that the file they are opening is the desired one. They should be cautious of files with extensions that do not match or attempt to obfuscate the nature of the file.
4. Disable JavaScript: The researchers suggest that diplomatic employees disable JavaScript as a precautionary measure. This would render any malware based on JavaScript unable to execute, providing an added layer of protection.
Conclusion
The recent campaign by the Russia-backed group Cloaked Ursa highlights the evolving tactics employed by state-sponsored threat actors. By leveraging more personal lures, they increase the likelihood of infecting not only the initial target but also other individuals within the same organization and the wider diplomatic community. To counter these threats, diplomatic missions and government organizations must prioritize cybersecurity training, exercise caution with downloads and email attachments, and consider additional measures such as disabling JavaScript. The battle against APTs requires constant vigilance and adaptation, as these sophisticated cyber adversaries continue to pose a significant risk to civil society.
<< photo by Hunters Race >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- The Rise of TeamTNT: Analyzing the Silentbob Botnet’s Cloud Attack Campaign
- The BlackLotus UEFI Bootkit: Examining the Implications of its Source Code Leak
- The Importance of Strong Password Security in WordPress Plugins
- Apple’s Privacy Standoff: Why the UK’s Proposed Encryption Bill is Raising Concerns
- The Expanding Reach of Russian Espionage and State-Sponsored Cybercrime
- The Unseen Threat: A Closer Look at the Ongoing iOS Spy Campaign
