Russians try to exploit sale of a BMW 5 to hack diplomats in Ukraine: Report

Diplomats based in Ukraine have been the targets of many attempts by Russia to compromise their IT systems.

One of the latest was aimed at envoys from 22 countries, including Canada and the United States, with an unexpected effort: Taking advantage of a Polish diplomat’s offer to sell a used BMW 5 Series sedan.

According to researchers at Palo Alto Networks’ Unit 42 threat intelligence service, in April a diplomat within the Polish Ministry of Foreign Affairs emailed a document to various embassies advertising the sale of his Bimmer with 266,000 km.

Apparently this was spotted by the group Palo Alto Networks calls Cloaked Ursa (which other researchers call APT29, UAC-0029, Cozy Bear, Nobelium or, in Microsoft’s new nomenclature Midnight Blizzard). The U.S. and the U.K. say this group is part of Russia’s foreign intelligence service, known as the SRV.

Two weeks after this email was sent, Cloaked Ursa emailed another version of this flyer to multiple diplomatic missions throughout Kyiv, saying the price had been reduced. However, anyone who clicked on a link offering “more high quality photos,” would have gone to a legitimate but compromised website with images. These pictures are actually Windows shortcut files masquerading as PNG image files. Attempts to view the photos result in malware being downloaded in the background. That led to communications to a command and control server.

Usually attempts by this threat actor are more subtle, says the report, with spear phishing focused on Notes verbale (semiformal government-to-government diplomatic communications), invitations to embassy events, and embassies’ operating status updates.

Most of the emails in this campaign went to the general inboxes of embassies. A few went to targeted individuals.

However, sending an email to over 22 embassies “is staggering in scope for what generally are narrowly scoped and clandestine APT operations,” the researchers say.

“While we don’t have details on their infection success rate, this is a truly astonishing number for a clandestine operation conducted by an advanced persistent threat (actor).”

Diplomatic missions will always be a high-value espionage target, says the report. “Sixteen months into the Russian invasion of Ukraine, intelligence surrounding Ukraine and allied diplomatic efforts are almost certainly a high priority for the Russian government.

“As the above campaigns show, diplomats should appreciate that APTs continually modify their approaches – including through spear phishing – to enhance their effectiveness. They will seize every opportunity to entice victims into compromise. Ukraine and its allies need to remain extra vigilant to the threat of cyber espionage, to ensure the security and confidentiality of their information.”