Russians try to exploit sale of a BMW 5 to hack diplomats in Ukraine: Report

Diplomats based in Ukraine have been the targets of many attempts by Russia to compromise their IT systems.

One of the latest was aimed at envoys from 22 countries, including Canada and the United States, with an unexpected effort: Taking advantage of a Polish diplomat’s offer to sell a used BMW 5 Series sedan.

According to researchers at Palo Alto Networks’ Unit 42 threat intelligence service, in April a diplomat within the Polish Ministry of Foreign Affairs emailed a document to various embassies advertising the sale of his Bimmer with 266,000 km.

Apparently this was spotted by the group Palo Alto Networks calls Cloaked Ursa (which other researchers call APT29, UAC-0029, Cozy Bear, Nobelium or, in Microsoft’s new nomenclature Midnight Blizzard). The U.S. and the U.K. say this group is part of Russia’s foreign intelligence service, known as the SRV.

Two weeks after this email was sent, Cloaked Ursa emailed another version of this flyer to multiple diplomatic missions throughout Kyiv, saying the price had been reduced. However, anyone who clicked on a link offering “more high quality photos,” would have gone to a legitimate but compromised website with images. These pictures are actually Windows shortcut files masquerading as PNG image files. Attempts to view the photos result in malware being downloaded in the background. That led to communications to a command and control server.

Usually attempts by this threat actor are more subtle, says the report, with spear phishing focused on Notes verbale (semiformal government-to-government diplomatic communications), invitations to embassy events, and embassies’ operating status updates.

Most of the emails in this campaign went to the general inboxes of embassies. A few went to targeted individuals.

However, sending an email to over 22 embassies “is staggering in scope for what generally are narrowly scoped and clandestine APT operations,” the researchers say.

“While we don’t have details on their infection success rate, this is a truly astonishing number for a clandestine operation conducted by an advanced persistent threat (actor).”

Diplomatic missions will always be a high-value espionage target, says the report. “Sixteen months into the Russian invasion of Ukraine, intelligence surrounding Ukraine and allied diplomatic efforts are almost certainly a high priority for the Russian government.

“As the above campaigns show, diplomats should appreciate that APTs continually modify their approaches – including through spear phishing – to enhance their effectiveness. They will seize every opportunity to entice victims into compromise. Ukraine and its allies need to remain extra vigilant to the threat of cyber espionage, to ensure the security and confidentiality of their information.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs