A report from a cybersecurity firm, reviewed by Reuters, revealed that "hackers suspected of working for the Russian foreign intelligence service targeted dozens of diplomats at embassies in Ukraine, using a fake advertisement for a used car in an attempt to breach the diplomats' computers." The report noted that the campaign began with a routine, harmless incident, stating, "In mid-April 2023, a diplomat from the Polish Ministry of Foreign Affairs sent an ad to several embassies for the sale of a used BMW 5 Series in Kyiv."
Analysts from Unit 42, a research division of Palo Alto Networks, indicated that "the extensive espionage operation targeted diplomats working in 22 out of approximately 80 foreign missions located in the Ukrainian capital of Kyiv." They added: "The group of hackers, known as APT29 or Cozy Bear, intercepted the ad, copied it, added malicious software to it, and then sent it to dozens of foreign diplomats in Kyiv."
Unit 42 noted that "this malware was concealed in an image album of the used BMW, and attempting to open those images would lead to the malware being transferred to the user's device." Researchers at Unit 42 were able to link the fake car advertisement to the Russian foreign intelligence service because the hackers reused certain tools and methods that had previously been associated with the agency.
