Cloaked Ursa Diplomatic Phishing Campaign

Details
Content
Dependencies
Version History

This pack detects and responds to the Cloaked Ursa Diplomatic Phishing Campaign

This pack is part of the Rapid Breach Response pack.

Cloaked Ursa: Targeting Diplomatic Missions with Phishing Lures

Summary:

Cloaked Ursa, a hacking group associated with Russia's Foreign Intelligence Service, has been persistently targeting diplomatic missions globally. Using phishing tactics, Their initial access attempts over the past two years have predominantly used phishing lures with a theme of diplomatic operations such as the following:

Notes verbale (semiformal government-to-government diplomatic communications)
Embassies’ operating status updates
Schedules for diplomats
Invitations to embassy events

Recently, Unit42 researchers observed a shift in their strategy, with a focus on targeting diplomats themselves. In Kyiv alone, at least 22 out of over 80 foreign missions were targeted.

The playbook includes the following tasks:

IoCs Collection

Blog IoCs download

Hunting:

Cortex XDR XQL exploitation patterns hunting
Advanced SIEM exploitation patterns hunting
Indicators hunting

The hunting queries are searching for the following activities:

Related LNK files execution command line
Dropped file names

Mitigations:

Unit42 mitigation measures

References:

Diplomats Beware: Cloaked Ursa Phishing With a Twist

This pack is part of the Rapid Breach Response pack.

Cloaked Ursa: Targeting Diplomatic Missions with Phishing Lures

Summary:

Notes verbale (semiformal government-to-government diplomatic communications)
Embassies’ operating status updates
Schedules for diplomats
Invitations to embassy events

Recently, Unit42 researchers observed a shift in their strategy, with a focus on targeting diplomats themselves. In Kyiv alone, at least 22 out of over 80 foreign missions were targeted.

The playbook includes the following tasks:

IoCs Collection

Blog IoCs download

Hunting:

Cortex XDR XQL exploitation patterns hunting
Advanced SIEM exploitation patterns hunting
Indicators hunting

The hunting queries are searching for the following activities:

Related LNK files execution command line
Dropped file names

Mitigations:

Unit42 mitigation measures

References:

Diplomats Beware: Cloaked Ursa Phishing With a Twist

Playbooks

Name	Description
Cloaked Ursa Diplomatic Phishing Campaign	Cloaked Ursa: Targeting Diplomatic Missions with Phishing Lures Summary: Cloaked Ursa, a hacking group associated with Russia's Foreign Intelligence Service, has been persistently targeting diplomatic missions globally. Using phishing tactics, Their initial access attempts over the past two years have predominantly used phishing lures with a theme of diplomatic operations such as the following: Notes verbale (semiformal government-to-government diplomatic communications) Embassies’ operating status updates Schedules for diplomats Invitations to embassy events Recently, Unit42 researchers observed a shift in their strategy, with a focus on targeting diplomats themselves. In Kyiv alone, at least 22 out of over 80 foreign missions were targeted. This playbook should be triggered manually or can be configured as a job. Please create a new incident and choose the Cloaked Ursa (APT29) Diplomatic Phishing Campaign playbook and Rapid Breach Response incident type. The playbook includes the following tasks: IoCs Collection Blog IoCs download Hunting: Cortex XDR XQL exploitation patterns hunting Advanced SIEM exploitation patterns hunting Indicators hunting The hunting queries are searching for the following activities: Related LNK files execution command line Dropped file names Mitigations: Unit42 mitigation measures References: Diplomats Beware: Cloaked Ursa Phishing With a Twist

Name

Description

Cloaked Ursa Diplomatic Phishing Campaign

Cloaked Ursa: Targeting Diplomatic Missions with Phishing Lures

Summary:

Notes verbale (semiformal government-to-government diplomatic communications)
Embassies’ operating status updates
Schedules for diplomats
Invitations to embassy events

Recently, Unit42 researchers observed a shift in their strategy, with a focus on targeting diplomats themselves. In Kyiv alone, at least 22 out of over 80 foreign missions were targeted.

This playbook should be triggered manually or can be configured as a job.

Please create a new incident and choose the Cloaked Ursa (APT29) Diplomatic Phishing Campaign playbook and Rapid Breach Response incident type.

The playbook includes the following tasks:

IoCs Collection

Blog IoCs download

Hunting:

Cortex XDR XQL exploitation patterns hunting
Advanced SIEM exploitation patterns hunting
Indicators hunting

The hunting queries are searching for the following activities:

Related LNK files execution command line
Dropped file names

Mitigations:

Unit42 mitigation measures

References:

Diplomats Beware: Cloaked Ursa Phishing With a Twist

Playbooks

Name	Description
Cloaked Ursa Diplomatic Phishing Campaign	Cloaked Ursa: Targeting Diplomatic Missions with Phishing Lures Summary: Cloaked Ursa, a hacking group associated with Russia's Foreign Intelligence Service, has been persistently targeting diplomatic missions globally. Using phishing tactics, Their initial access attempts over the past two years have predominantly used phishing lures with a theme of diplomatic operations such as the following: Notes verbale (semiformal government-to-government diplomatic communications) Embassies’ operating status updates Schedules for diplomats Invitations to embassy events Recently, Unit42 researchers observed a shift in their strategy, with a focus on targeting diplomats themselves. In Kyiv alone, at least 22 out of over 80 foreign missions were targeted. This playbook should be triggered manually or can be configured as a job. Please create a new alert and choose the Cloaked Ursa (APT29) Diplomatic Phishing Campaign playbook and Rapid Breach Response alert type. The playbook includes the following tasks: IoCs Collection Blog IoCs download Hunting: Cortex XDR XQL exploitation patterns hunting Advanced SIEM exploitation patterns hunting Indicators hunting The hunting queries are searching for the following activities: Related LNK files execution command line Dropped file names Mitigations: Unit42 mitigation measures References: Diplomats Beware: Cloaked Ursa Phishing With a Twist

Name

Description

Cloaked Ursa Diplomatic Phishing Campaign

Cloaked Ursa: Targeting Diplomatic Missions with Phishing Lures

Summary:

Notes verbale (semiformal government-to-government diplomatic communications)
Embassies’ operating status updates
Schedules for diplomats
Invitations to embassy events

Recently, Unit42 researchers observed a shift in their strategy, with a focus on targeting diplomats themselves. In Kyiv alone, at least 22 out of over 80 foreign missions were targeted.

This playbook should be triggered manually or can be configured as a job.

Please create a new alert and choose the Cloaked Ursa (APT29) Diplomatic Phishing Campaign playbook and Rapid Breach Response alert type.

The playbook includes the following tasks:

IoCs Collection

Blog IoCs download

Hunting:

Cortex XDR XQL exploitation patterns hunting
Advanced SIEM exploitation patterns hunting
Indicators hunting

The hunting queries are searching for the following activities:

Related LNK files execution command line
Dropped file names

Mitigations:

Unit42 mitigation measures

References:

Diplomats Beware: Cloaked Ursa Phishing With a Twist

Required Content Packs (3)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Rapid Breach Response	By: Cortex XSOAR

Optional Content Packs (6)

Pack Name	Pack By
Azure Log Analytics	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Splunk	By: Cortex XSOAR
Elasticsearch	By: Cortex XSOAR
IBM QRadar	By: Cortex XSOAR

All level dependencies (13)

Pack Name	Pack By
Asset	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Rapid Breach Response	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Identity	By: Cortex XSOAR
Ransomware	By: Cortex XSOAR
Cryptocurrency	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Access Investigation	By: Cortex XSOAR
Base	By: Cortex XSOAR

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	July 13, 2023
Last Release	July 13, 2023

WORKS WITH THE FOLLOWING INTEGRATIONS:

Palo Alto Networks Cortex XDR - Investigation and Response

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.