Russian Hackers Used a Fake BMW Ad to Trick Diplomats in Ukraine

If you're an embassy worker in the market for a used car, the Russians have a BMW to sell you.

Sometimes you come across a used car ad that appears too good to be true. Fall for the ruse, and you might end up buying a lemon or a stolen vehicle. Or, in the case of recent events, you could accidentally risk compromising the cybersecurity of a diplomatic mission.

As covered by Reuters, Russian intelligence personnel allegedly created a fake used car ad to infect computers in diplomatic missions within Ukraine. The incident has come to light via a report from Unit 42, a research division within Palo Alto Networks.

The attackers piggybacked on a legitimate used car ad, shared via email by a Polish diplomat in April 2023. The advert concerned a 2011 BMW 520d, which the diplomat was offering for sale to various other embassy contacts that may be in need of transportation. The original flyer sent out was a Word document, featuring basic information and two pictures of the car.

The flyer was later intercepted by a group known as “Cloaked Ursa,” “Cozy Bear,” or “APT29.” The flyer was then modified and sent out in May to at least 22 foreign missions within Ukraine. The group targeted embassies of the U.S., Spain, Turkey, Libya, Denmark, and the Netherlands, among others. Many were targeted via publicly available embassy email addresses, while others were reached via private emails likely collected by other intelligence activities.

The agents replaced a link to additional photos of the car with their own, which directed victims to a site hosting a malicious payload. Downloading any of the compromised photos and opening them would expose the user’s computer to malware intended for intelligence-gathering purposes.

The attack eventually became apparent to the Polish diplomat who first posted the ad. The trick was that the modified version of the flyer listed a lower price for the car, of just 7,500 euros ($8,350 USD). “When I checked, I realized they were talking about a slightly lower price,” said the diplomat, who declined to be identified when speaking to Reuters. Most similar cars in Europe are selling in the low five-figure range.

The attack has been attributed to APT29 due to the techniques and malware used, and the similarity to other attacks by the group. APT29 has been identified as a part of the Russian foreign intelligence service known as the SVR.

Of the 22 embassies known to be targeted, 21 declined to provide comment to Reuters. As for the U.S., the State Department noted the attempted attack but found that it had not compromised any of the embassy’s systems.

As for the car itself, the Polish diplomat noted it has not yet sold. Rather than try and sell it to a foreign diplomat, the individual is now looking to sell it in Poland, instead. “After this situation, I don’t want to have any more problems,” the diplomat told Reuters.

The incident goes to show the everyday cyber risks faced by diplomatic missions across the world. Even a simple Word document attached to an email can lead to a serious security issue. It’s likely that many embassy employees are now getting a refresher on how to handle seemingly-innocuous email attachments.

Got a tip? Let the author know: