Russians try to exploit sale of a BMW 5 to hack diplomats in Ukraine: Report

Share post:

Diplomats based in Ukraine have been the targets of many attempts by Russia to compromise their IT systems.

One of the latest was aimed at envoys from 22 countries, including Canada and the United States, with an unexpected effort: Taking advantage of a Polish diplomat’s offer to sell a used BMW 5 Series sedan.

According to researchers at Palo Alto Networks’ Unit 42 threat intelligence service, in April a diplomat within the Polish Ministry of Foreign Affairs emailed a document to various embassies advertising the sale of his Bimmer with 266,000 km.

Apparently this was spotted by the group Palo Alto Networks calls Cloaked Ursa (which other researchers call APT29, UAC-0029, Cozy Bear, Nobelium or, in Microsoft’s new nomenclature Midnight Blizzard). The U.S. and the U.K. say this group is part of Russia’s foreign intelligence service, known as the SRV.

Two weeks after this email was sent, Cloaked Ursa emailed another version of this flyer to multiple diplomatic missions throughout Kyiv, saying the price had been reduced. However, anyone who clicked on a link offering “more high quality photos,” would have gone to a legitimate but compromised website with images. These pictures are actually Windows shortcut files masquerading as PNG image files. Attempts to view the photos result in malware being downloaded in the background. That led to communications to a command and control server.

Usually attempts by this threat actor are more subtle, says the report, with spear phishing focused on Notes verbale (semiformal government-to-government diplomatic communications), invitations to embassy events, and embassies’ operating status updates.

Most of the emails in this campaign went to the general inboxes of embassies. A few went to targeted individuals.

However, sending an email to over 22 embassies “is staggering in scope for what generally are narrowly scoped and clandestine APT operations,” the researchers say.

“While we don’t have details on their infection success rate, this is a truly astonishing number for a clandestine operation conducted by an advanced persistent threat (actor).”

Diplomatic missions will always be a high-value espionage target, says the report. “Sixteen months into the Russian invasion of Ukraine, intelligence surrounding Ukraine and allied diplomatic efforts are almost certainly a high priority for the Russian government.

“As the above campaigns show, diplomats should appreciate that APTs continually modify their approaches – including through spear phishing – to enhance their effectiveness. They will seize every opportunity to entice victims into compromise. Ukraine and its allies need to remain extra vigilant to the threat of cyber espionage, to ensure the security and confidentiality of their information.”

The post Russians try to exploit sale of a BMW 5 to hack diplomats in Ukraine: Report first appeared on IT World Canada.
Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

SUBSCRIBE NOW

Related articles

Cyber Security Today, May 24, 2024 – A threat actor leverages Windows BitLocker in ransomware attacks, beware of ORB networks, and more

A threat actor leverages Windows BitLocker in ransomware attacks, beware of ORB networks, and more. Welcome to Cyber Security...

Canada centralizing cybersecurity efforts of federal IT departments

Federal departments and agencies are making only marginal progress in improving their cyber maturity, Ottawa said Wednesday as...

Cyber Security Today, May 22, 2024 – LockBit ransomware gang hits more victims, Fluent Bit servers need to be updated, and more

LockBit ransomware gang hits more victims, Fluent Bit servers need to be updated, and more. Welcome to Cyber Security...

Google criticizes Microsoft’s security practices in new report

Google has publicly criticized Microsoft for a series of security missteps, suggesting that organizations might consider more secure...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways