Dozens of Ukrainian diplomats' laptops were compromised using a fake used vehicle ad by hackers believed to be working for Russia's foreign intelligence service, as reported by a cybersecurity firm on Wednesday, July 12.
At least 22 of the approximately 80 foreign embassies in Kyiv, the capital of Ukraine, were the targets of the extensive espionage effort, according to experts from Palo Alto Networks' Unit 42 research branch.
Kyiv Embassies Targeted by Cyberattack
The campaign was predicated on something completely lawful and harmless. "In mid-April 2023, a diplomat within the Polish Ministry of Foreign Affairs emailed a legitimate flyer to various embassies advertising the sale of a used BMW 5-series sedan located in Kyiv," said the report.
The diplomat from Poland, who did not want to be named for security reasons, revealed that his advertising had a part in the cyber attack.
Unit 42 said hackers belonging to the APT29 or "Cozy Bear" group intercepted and duplicated the advertisement, inserted harmful software into it, and then forwarded it to hundreds of additional foreign diplomats based in Kyiv.
In 2021, APT29 was traced back to Russia's foreign intelligence service, the SVR, by the US and UK intelligence agencies.
Authorities in Poland warned in April that the same organization had launched a "widespread intelligence campaign" targeting countries in NATO, the European Union, and Africa.
Because the hackers reused several tools and methods associated with the SVR, researchers at Unit 42 were able to trace the bogus car ad back to the espionage organization.
"Diplomatic missions will always be a high-value espionage target ... Sixteen months into the Russian invasion of Ukraine, intelligence surrounding Ukraine and allied diplomatic efforts are almost certainly a high priority for the Russian government," Unit 42 stated.
Fake Car Ad
In a report by Reuters, the Polish ambassador said he had sent the first advertisement to other Kyiv embassies and received a call in response because the cost was attractive. The ambassador told Reuters, "When I checked, I realized they were talking about a slightly lower price."
Reuters discovered that SVR hackers had placed the diplomat's BMW at a discounted price of 7,500 euros in their bogus version of the ad. This move got more individuals to download malicious software, allowing remote access to their devices.
According to Unit 42, the software in question was disguised as a picture album of the pre-owned BMW. Opening such photos would have infected the target's computer, the study stated.
Speaking on behalf of the US government, a spokeswoman said that they were "aware of the activity and based on the Directorate of Cyber and Technology Security's analysis found it did not affect Department systems or accounts."
The Polish official said that the vehicle was still for sale.