Cloaked Ursa Diplomatic Phishing Campaign

## Cloaked Ursa: Targeting Diplomatic Missions with Phishing Lures **Summary:** Cloaked Ursa, a hacking group associated with Russia's Foreign Intelligence Service, has been persistently targeting diplomatic missions globally. Using phishing tactics, Their initial access attempts over the past two years have predominantly used phishing lures with a theme of diplomatic operations such as the following: - Notes verbale (semiformal government-to-government diplomatic communications) - Embassies’ operating status updates - Schedules for diplomats - Invitations to embassy events Recently, Unit42 researchers observed a shift in their strategy, with a focus on targeting diplomats themselves. In Kyiv alone, at least 22 out of over 80 foreign missions were targeted. **This playbook should be triggered manually or can be configured as a job.** Please create a new incident and choose the Cloaked Ursa (APT29) Diplomatic Phishing Campaign playbook and Rapid Breach Response incident type. **The playbook includes the following tasks:** **IoCs Collection** - Blog IoCs download **Hunting:** - Cortex XDR XQL exploitation patterns hunting - Advanced SIEM exploitation patterns hunting - Indicators hunting The hunting queries are searching for the following activities: - Related LNK files execution command line - Dropped file names **Mitigations:** - Unit42 mitigation measures **References:** [Diplomats Beware: Cloaked Ursa Phishing With a Twist](https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/)

Cloaked Ursa Diplomatic Phishing Campaign · 42 tasks · 9 inputs · 0 outputs

Inputs

  • PlaybookDescription — The playbook description to be used in the Rapid Breach Response - Set Incident Info sub-playbook.
  • autoBlockIndicators — Wether to block the indicators automatically.
  • QRadarTimeRange — The time range for the QRadar queries.
  • SplunkEarliestTime — The time range for the Splunk queries.
  • ElasticEarliestTime — The time range for the Elastic queries.
  • LogAnalyticsTimespan — The time range for the Azure Log Analytics queries.
  • XQLTimeRange — The time range for the XQL queries.
  • ElasticIndex — The elastic index to search in.
  • emailIndicators — The email indicators provided in the blog.

Commands used

azure-log-analytics-execute-query closeInvestigation es-eql-search splunk-search xdr-xql-generic-query

Flowchart

Yes Yes Yes yes Yes Yes yes Start Start Collect Indicators Collect Indicators Collect IoCs from Unit42 - ParseHTMLIndicators Collect IoCs from Unit42 ParseHTMLIndicators Tag Indicators Tag Indicators Set Rapid Breach Response Layout Set Rapid Breach Response... Rapid Breach Response - Set Incident Info - Rapid Breach Response - Set Incident Info Rapid Breach Response - S... Rapid Breach Response - Set I... Tag Domain Indicators - CreateNewIndicatorsOnly Tag Domain Indicators CreateNewIndicatorsOnly Threat Hunting Threat Hunting SIEM Advanced Hunting SIEM Advanced Hunting Indicators Hunting Indicators Hunting Cortex Hunting Cortex Hunting Threat Hunting - Generic - Threat Hunting - Generic Threat Hunting - Generic Threat Hunting - Generic Tag Email Indicators - CreateNewIndicatorsOnly Tag Email Indicators CreateNewIndicatorsOnly Tag URL Indicators - CreateNewIndicatorsOnly Tag URL Indicators CreateNewIndicatorsOnly Is Splunk Enabled? Is Splunk Enabled? Is QRadar Enabled? Is QRadar Enabled? Is Elasticsearch Enabled? Is Elasticsearch Enabled? Is Azure Log Analytics Enabled? Is Azure Log Analytics En... LNK file execution - azure-log-analytics-execute-query LNK file execution azure-log-analytics-execute-q... LNK file execution - splunk-search LNK file execution splunk-search LNK file execution - es-eql-search LNK file execution es-eql-search QRadarFullSearch - QRadarFullSearch QRadarFullSearch QRadarFullSearch Suspicious file paths and names - azure-log-analytics-execute-query Suspicious file paths and... azure-log-analytics-execute-q... Suspicious file paths and names - splunk-search Suspicious file paths and... splunk-search Suspicious file paths and names - es-eql-search Suspicious file paths and... es-eql-search QRadarFullSearch - QRadarFullSearch QRadarFullSearch QRadarFullSearch Cortex XDR - XQL Hunting Queries Cortex XDR - XQL Hunting ... Is Cortex XDR - XQL Enabled? Is Cortex XDR - XQL Enabled? LNK file execution - xdr-xql-generic-query LNK file execution xdr-xql-generic-query Suspicious file paths and names - xdr-xql-generic-query Suspicious file paths and... xdr-xql-generic-query Should continue with the investigation? Should continue with the ... Should block indicators automatically? Should block indicators a... Block Indicators - Generic v3 - Block Indicators - Generic v3 Block Indicators - Generi... Block Indicators - Generic v3 Handle indicators manually Handle indicators manually Investigate further Investigate further Done Done Remediation Remediation Mitigation Mitigation Unit42 recommendations Unit42 recommendations Resolution Resolution Tag File Indicators - CreateNewIndicatorsOnly Tag File Indicators CreateNewIndicatorsOnly Close Investigation - closeInvestigation Close Investigation closeInvestigation