Russian hackers attacked foreign embassies in Kyiv, using the ad for Polish diplomat’s BMW sale

Russian hackers attacked the computers of diplomats of foreign Embassies working in Kyiv through the advertisement for a cheap BMW. As reported by Babel with reference to Reuters, at least 22 of approximately 80 foreign representative offices were attacked.

• In mid-April 2023, a diplomat of the Ministry of Foreign Affairs of Poland sent an e-mail to various embassies announcing that he was selling a used BMW 5 Series sedan in Kyiv.
• However, the group of hackers APT29 or “Cozy Bear”, which is associated with the Russian Federation, intercepted and copied this announcement, inserted malware into it and sent it to dozens of other foreign diplomats working in Kyiv. The malware was disguised as a BMW photo album.
• The Polish diplomat said he sent the original ad to various embassies in Kyiv, and that someone called him back because the price looked “attractive.” “When I checked, I realized that they were talking about a slightly lower price,” the diplomat said. It turned out that the hackers listed a lower price for the diplomat’s BMW — €7,500 — to get more people to click on the ad.
• In 2021, US and British intelligence services identified APT29 as a unit of Russia’s Foreign Intelligence Service. In April 2023, Polish counterintelligence and cyber security agencies warned that the group had conducted a “large-scale intelligence campaign” against NATO member states, the European Union, and Africa.
• Unit 42 researchers were also able to link the fake car ad to Russia’s Foreign Intelligence Service because the hackers used certain tools and techniques previously used by Russians.