Diplomats in Ukraine Targeted by “Staggering” BMW Phishing Campaign

Written by

A notorious Russian state-affiliated cyber gang has leveraged a legitimate sale of a BMW car to target diplomats in Kyiv, Ukraine, a new analysis by Palo Alto Network’s Unit 42 researchers has observed.

The novel phishing campaign was carried out by the ‘Cloaked Ursa’ group (aka Cozy Bear, APT29), which the US and UK have publicly attributed to Russia’s Foreign Intelligence Service (SVR).

The campaign targeted at least 22 of over 80 foreign embassies in Kyiv, a “truly astonishing” number according to the researchers.

The campaign was based around a legitimate email flyer from a diplomat within the Polish Ministry of Foreign Affairs to various embassies. This advertized the sale of a used BMW 5-series sedan located in Kyiv, with the file attachment titled ‘BMW 5 for sale in Kyiv – 2023.docx.’

The researchers noted that the availability of a reliable car from a trusted diplomat would attract the interest of recent arrivals into the region, given the difficulties of arranging transportation and other goods into Ukraine in the current environment.

It is likely that Cloaked Ursa observed the legitimate flyer after compromising one of the email recipient’s email servers, and saw an opportunity to repurpose in the form of a phishing lure.

On May 4, 2023, the gang emailed their illegitimate version of the flyer to multiple diplomatic missions throughout Kyiv, using benign Microsoft Word documents of the same name.

However, if a recipient clicks on a link offering “more high quality photos,” they will be redirected to a legitimate site that has been coopted by Cloaked Ursa. When the victim attempts to view the photos, a malicious payload will execute silently in the background while the image displays on their screen.

The group used publicly available embassy email addresses to reach around 80% of the targets, with the remaining 20% consisting of unpublished email addresses not found on the surface web.

The majority were sent to general inboxes for the embassy, but a few were sent directly to individuals’ work addresses.

There is no information of how successful the campaign has been in infecting the targeted diplomats. However, the researchers said the number of targeted embassies was “staggering in scope for what generally are narrowly scoped and clandestine APT operations.”

Palo Alto’s assessment that Cloaked Ursa is responsible for the campaign is based on the following factors:

  • Similarities to other known Cloaked Ursa campaigns and targets
  • Use of known Cloaked Ursa TTPs
  • Code overlap with other known Cloaked Ursa malware

The researchers said that the BMW campaign shows that diplomatic missions are a high-value espionage target for the Russian government to gain intelligence about Ukraine and its allies.

The blog read: “Diplomats should appreciate that APTs continually modify their approaches – including through spear phishing – to enhance their effectiveness. They will seize every opportunity to entice victims into compromise. Ukraine and its allies need to remain extra vigilant to the threat of cyber espionage, to ensure the security and confidentiality of their information.”

Earlier this week (July 10), research by BlackBerry found that the RomCom threat actor launched a targeted cyber campaign aimed at organizations and individuals supporting Ukraine just days before the highly anticipated NATO Summit.

Image credit: rebinworkshop/ Shutterstock.com

What’s hot on Infosecurity Magazine?