Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Government

Fake Used-Car Flyer for 2011 BMW Phishes Diplomats in Kyiv

Campaign Targets 22 Embassies; Unit 42 Ties It to Russian Foreign Intelligence
Fake Used-Car Flyer for 2011 BMW Phishes Diplomats in Kyiv
Malicious listing targeting diplomats in Ukraine (Source: Palo Alto Networks Unit 42)

Diplomats in the Ukrainian capital of Kyiv who shopped for used cars may have gotten more than they bargained for.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

A recent phishing attack targeted Kyiv-based embassy employees via a malicious listing for a 2011 BMW 5 Series, promising "very good condition, low fuel consumption" for a reduced price of 7,500 euros. The advertisement invited readers to click on links to learn and see "high-quality photos," but the links led users to suborned websites designed to push malicious code onto their system, researchers with the Unit 42 threat intelligence group at Palo Alto Networks reported.

Ironically, the used-car ad was originally a legitimate flyer emailed by a Polish diplomat in April to a number of embassies in Kyiv. The researchers suspect adversaries intercepted the flyer and recognized its appeal as phishing lure for diplomats serving short stints in Ukraine and in need of transportation.

On May 4, threat actors sent a malicious version of the Word document flyer, targeting at least 22 of the more than 80 embassies in Kyiv, including those for Albania, Canada, Estonia, Greece, Iraq, Ireland, Latvia, Libya, Norway, Turkey and the United States, Unit 42 reported.

"This is staggering in scope for what generally are narrowly scoped and clandestine APT operations," the researchers said.

They attributed the attack campaign, which ran for an unspecified amount of time before going dark in mid-June, to an advanced persistent threat group tied to Russia's foreign intelligence service, known as the SVR. The group is known by a variety of codenames, including APT29, Cozy Bear, UAC-0029, Nobelium and Cloaked Ursa.

The researchers believe APT29 conducted the SolarWinds supply chain attack discovered in December 2020. In that very sophisticated effort, attackers hacked the software developer's Microsoft Visual Studio development tools to add a backdoor into the Orion network monitoring security software it shipped to customers.

Sheer Hacking Persistence

Of the email addresses targeted by attackers, Unit 42 said 80% were publicly available and easily obtained, and many led to general mailboxes. Targeting a general mailbox could have been designed to trick staff who administer such mailboxes into disseminating the malicious listings to embassy employees, perhaps leading recipients to place more trust in the messaging.

The remaining 20% of email addresses targeted were nonpublic, meaning "attackers likely also used other collected intelligence to generate their victim target list to ensure they were able to maximize their access to desired networks," the researchers said.

Their attribution isn't ironclad. They said it's based in part on overlap between the code used in this attack and code previously used by operations that the U.S. and U.K. governments have attributed to SVR operators, as well as shared tactics, techniques and procedures.

Since Russia intensified its invasion of Ukraine in February 2022, APT29 has been one of a small number of Russian groups actively engaged in associated cyber operations. The group has been tied in part to numerous phishing campaigns designed to target government agencies and diplomatic operations across Ukraine and its allies.

"Diplomatic missions will always be a high-value espionage target," Unit 42 said. "Sixteen months into the Russian invasion of Ukraine, intelligence surrounding Ukraine and allied diplomatic efforts are almost certainly a high priority for the Russian government.

Dodgy Links

Hyperlinks in the BMW listing led to a legitimate site that was suborned to push a large malicious bmw.iso file, which if opened by a user reveals nine apparent image files, the researchers said. These purported PNG files are actually LNK Windows shortcut files, which if clicked are designed to run a script that will load malicious DLL files, among other steps that enable the attack to progress. If successful, the malware will eventually execute a payload in memory that facilitates communications with a command-and-control server, which then pushes a malicious payload to the infected endpoint.

The researchers said C2 communications were handled using the Microsoft Graph API, which is designed for accessing Microsoft Cloud service resources, and which seems to be a newly adopted tactic for the group. If that C2 communication method failed, the malware's fallback strategy was to send commands - at least sometimes disguised as bitmap files - using the Dropbox API.

APT29 has been previously tied to many of these TTPs, as detailed in a teardown of malware used in a spear-phishing attack attributed to APT29 published last year by Jiří Vinopal, a threat researcher at Check Point. The campaign he analyzed also used an ISO file to target users by displaying purported files for them to execute while hiding file attributes to make their ruse tougher to detect.

Vinopal's analysis of the malware likewise found it was abusing a "legitimate 'Dropbox' service which acts as middleman between C2 Dropbox client and C2 Dropbox server communication," which would deliver malicious code encrypted using a key unique to each victim. Once decrypted, this code would likely have downloaded Cobalt Strike or similar software to help carry the attack forward, he said.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.