Foreign diplomatic missions and non-governmental organisations (NGOs) in Ukraine are failing to adequately safeguard staffers from basic phishing attacks, putting government personnel and national security at extreme risk, according to research looking into a repeating campaign that uses virtually identical lures, unchanged from previous years.
Last year, Palo Alto Networks’ Unit 42 research team reported on a series of phishing attempts tracked to the Cozy Bear or APT29 group, in which the Russians masqueraded as a Polish official being withdrawn from Kyiv and looking to sell a nearly new BMW 5 Series.
Described as “staggering in scope” for a clandestine advanced persistent threat (APT) mission, Unit 42 revealed that Cozy Bear targeted diplomats from Albania, Argentina, Canada, Cyprus, Denmark, Estonia, Greece, Iraq, Ireland, Kuwait, Kyrgyzstan, Latvia, Libya, the Netherlands, Norway, Slovakia, Spain, Sudan, Turkey, Turkmenistan, the US and Uzbekistan.
A year down the line, the Unit 42 team has returned to the scene of the crime only to find that another non-existent staffer, this time at the Bucharest-based Southeast Europe Law Enforcement Center (SELEC) agency, is trying to offload an Audi Q7 Quattro SUV.
But this time round, the campaign is being run not by Cozy Bear, but by a different APT group altogether, Fancy Bear, also known as APT28 or, in Unit 42’s rolodex, Fighting Ursa.
This campaign seems to date back to March 2024 and appears to bear no relation to the Cozy Bear campaign, said Unit 42. The team said it had been able to attribute the 2024 Audi campaign to Fancy Bear, as opposed to Cozy Bear, with a medium to high degree of confidence.
“Diplomatic-car-for-sale phishing lure themes have been used by Russian threat actors for years. These lures tend to resonate with diplomats and get targets to click on the malicious content,” said the team.
“The similarity in tactics points to known behaviours of Fighting Ursa. The Fighting Ursa group is known for repurposing successful tactics – even continuously exploiting known vulnerabilities for 20 months after their cover was already blown,” they said.
In Fancy Bear’s campaign, the legitimate Webhook.site service was used to craft a URL that when clicked returned a malicious HTML page. When the URL was clicked, the HTML page first checked if the visiting computer was running Windows, and if it was, it then created a ZIP archive and attempted to open it with the JavaScript click function.
This archive, saved as IMG-387470302099.zip, contains three files that work in tandem to download and execute Fancy Bear’s HeadLace backdoor malware on the victim’s system, giving the group deeper access into the targeted organisation.
Unit 42 said Fancy Bear’s use of a legitimate web service in its attack chain gave organisations at risk of being victimised a fighting chance to get ahead of its campaigns.
“We assess that Fighting Ursa will continue to use legitimate web services in its attack infrastructure,” they said. “To defend against these attacks, defenders should limit access to these or similar hosting services as necessary. If possible, organisations should scrutinise the use of these free services to identify possible attack vectors.”
Two bears are better than one?
Ordinarily, Cozy Bear and Fancy Bear are thought to operate within different agencies of the Russian intelligence machine.
Cozy Bear is assessed to be connected to Moscow’s Foreign Intelligence Service (SVR), which reports directly to Russian dictator Vladimir Putin.
Meanwhile, Fancy Bear is more often linked to military intelligence agency the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), which is subordinate to Russian military command.
However, both the SVR and the GRU are in and of themselves successor agencies to the Cold War-era KGB, and given that their objectives align with Russia’s overall geopolitical goals, it is not unsurprising that there should be some overlap between the two operations.
Indeed, both Cozy Bear and Fancy Bear have been observed collaborating in the past, and sometimes when they do, have been tracked as Grizzly Steppe.