Russian Hackers’ Cheap BMW Ad Tricked Ukraine Embassy Workers
In a concerning cyberespionage campaign, hackers suspected to be working for Russia’s foreign intelligence agency have targeted numerous diplomats at embassies in Ukraine. The malicious activity was executed through a deceptive used car advertisement, as detailed in a report by cybersecurity firm Palo Alto Networks’ Unit 42 research division. The report, scheduled for publication later today, sheds light on the wide-reaching espionage effort that affected diplomats from approximately 22 out of the 80 foreign missions in Kyiv, Ukraine’s capital.
According to the report, the campaign initially appeared innocuous and legitimate. It began when a diplomat within the Polish Ministry of Foreign Affairs sent out a genuine flyer advertising the sale of a used BMW 5-series sedan in Kyiv. Unbeknownst to the diplomat, the hackers, identified as APT29 or “Cozy Bear,” intercepted and duplicated the flyer. They then embedded malicious software into the document before disseminating it to several other foreign diplomats working in Kyiv.
The scope of this operation is remarkable, particularly for an advanced persistent threat (APT) campaign, which is typically more narrowly focused and covert, according to the report. APT29, previously linked to Russia’s foreign Intelligence Service, the SVR, was identified by U.S. and British intelligence agencies in 2021. The SVR, however, did not respond to Reuters’ request for comment regarding this hacking campaign.
This recent revelation comes on the heels of a warning issued by Polish counterintelligence and cybersecurity authorities in April, stating that the same group had launched a pervasive intelligence campaign targeting NATO member states, the European Union, and Africa.
The researchers at Unit 42 were able to attribute the fake car advert to the SVR hackers based on the reuse of certain tools and techniques previously associated with the spy agency. Given the ongoing conflict between Russia and Ukraine, the report suggests that intelligence surrounding Ukraine and the diplomatic efforts of its allies is likely of high priority to the Russian government.
The original car advert, sent by the Polish diplomat to various embassies in Kyiv, caught the attention of the hackers due to its “attractive” price. However, when individuals inquired about the offer, they were informed of a slightly lower price by the diplomat. It was later revealed that the SVR hackers had listed the diplomat’s BMW at a reduced price of 7,500 euros in their counterfeit version of the advert. The intention was to entice more people to download the purported photo album of the vehicle, which was actually a disguise for malicious software granting remote access to their devices.
While 21 out of the 22 targeted embassies approached by Reuters declined to comment on the incident, it remains unclear which, if any, embassies were compromised. The U.S. State Department assured that their systems and accounts were unaffected. As for the diplomat’s car, it is still available for sale, but he expressed a desire to sell it in Poland to avoid further problems stemming from this incident.