Notorious Russian state-backed cyber gang uses legal sale of BMW cars to target diplomats in Kiev, Ukraine, new analysis by Palo Alto Networks Unit 42 researchers reveals became.
The novel phishing campaign was carried out by the “Cloaked Ursa” group (aka Cozy Bear, APT29), which the US and UK have publicly attributed to the Russian Foreign Intelligence Service (SVR).
The campaign has targeted at least 22 of the more than 80 foreign embassies in Kiev, a number researchers say is “genuinely staggering”.
The campaign was based on legitimate e-mail flyers addressed to various embassies by diplomats from the Polish Ministry of Foreign Affairs. This advertised the sale of his second-hand BMW 5 Series sedan in Kiev, with an attachment titled “BMW 5 for sale in Kyiv – 2023.docx”.
Considering the difficulty in arranging transportation and other goods to Ukraine in the current environment, the researchers said, the availability of a reliable vehicle from a trusted diplomat could be a huge advantage for people who have recently arrived in the region. He pointed out that it would be of interest.
After compromising one of the email recipient’s email servers, Cloaked Ursa may have observed legitimate flyers and saw opportunities to reuse them in the form of phishing lures.
On May 4, 2023, the gang emailed illegal versions of the leaflets to multiple diplomatic missions across Kiev using a harmless Microsoft Word document of the same name.
However, when the recipient clicks on the link offering “higher quality pictures”, they are redirected to a legitimate site stolen by Cloaked Ursa. When the victim tries to view the photo, the malicious payload runs silently in the background while the image is displayed on the screen.
This group used public embassy email addresses to reach approximately 80% of their targets, with the remaining 20% consisting of undisclosed email addresses not found on the surface web. .
Most were sent to the embassy’s general inbox, but a few were sent directly to the individual’s work address.
There is no information on how successful the campaign was in infecting targeted diplomats. But the researchers said the number of embassies targeted was “staggering given the scope of covert APT operations, which are typically small in scope.”
Palo Alto’s assessment that Cloaked Ursa is responsible for the campaign is based on the following factors:
- Similarities to other known Cloaked Ursa campaigns and targets
- Using Known Cloaked Ursa TTPs
- Code duplication with other known Cloaked Ursa malware
The researchers said BMW’s campaign showed diplomatic missions to be important espionage targets for the Russian government to obtain information about Ukraine and its allies.
The blog says: “Diplomats should be aware that APTs are continually modifying their approaches, including spear phishing, to increase their effectiveness. They seize every opportunity to lure and compromise victims. Ukraine and its allies need to remain particularly vigilant against cyber espionage threats to ensure information security and confidentiality.”
Earlier this week (July 10), a BlackBerry investigation found that the RomCom threat actor launched a targeted cyber campaign targeting organizations and individuals supporting Ukraine just days before the highly anticipated NATO summit. .
Image credit: rebinworkshop/ Shutterstock.com
