A number of Ukrainian officials were targeted in a scam designed to infiltrate their devices and exfiltrate sensitive data.
The espionage activity launched by Russian threat actors who are globbally tracked as APT 29 targeted diplomats working in at least 22 of the 80 foreign missions in Ukraine’s capital, Kyiv according to a recent report published by analysts at Palo Alto Networks’ Unit 42 research division.
Cheap car advert
The campaign all started with the interception of a legitimate email.
In mid-April 2023, a diplomat within the Polish Ministry of Foreign Affairs emailed a legitimate message to various embassies advertising the sale of a used BMW 5-series sedan in Kyiv.
The email sent by the diplomat contained the advert in the form of an attached MS word document, which gave the Russians an opportunity for attack.
The original file contained a shortened URL link to a site with more photographs of the car for sale. The Russian threat actors copied the file, altered the embedded link to point to a different URL with malware embedded images and sent a new email off to would-be victims in embassy’s across the globe including Albania, Argentina, Kuwait, Norway, Spain, The USA, and Uzbekistan.
In an attempt to ensure as many people as possible opened the file, they lowered the price of the car to €7,500 – a very attractive price for such a good car.
When anyone opened the images, the malware silently went to work infecting the victims PC.