You could come across an advertisement for a secondhand car that appears to be too good to be true from time to time. If you were duped into buying the car, you might get a lemon or a vehicle that had been reported stolen. Or, as was the case not too long ago, you could unwittingly put the security of a foreign mission’s computer network in danger. According to Reuters, Russian spies fabricated a classified ad for a used automobile to infect computers in Ukrainian diplomatic facilities. The machines were targeted to steal information. Unit 42, a research group at Palo Alto Networks, conducted an investigation and learned about the occurrence resulting from their findings. An incident occurred in April 2023 as a direct result of a Polish ambassador sending an email that contained a genuine advertisement for a used vehicle. The official was attempting to make a sale of a 2011 BMW 520d to several other embassies that might need a car. The first flyer was a Microsoft Word file with just two photographs of the vehicle and very little more information. After then, a group that would later go by the name “Cloaked Ursa,” “Cozy Bear,” or “APT29,” obtained the pilot. After some time, the brochure was revised, and in May, it was distributed to at least 22 foreign offices in Ukraine. The group pursued its objectives worldwide, including in countries such as the United States of America, Spain, Turkey, Libya, Denmark, and the Netherlands. Others were contacted through official email accounts that everyone could access, while others were contacted through private email addresses that they obtained from other intelligence operations. The agents replaced their link with one that linked to additional photographs of the vehicle to direct victims to a website that had content that was harmful to them. If the user were to download and view any stolen pictures on their computer, their device would become infected with information-gathering malware. The Polish minister responsible for posting the advertisement in the first place was eventually made aware of what was going on. The flyer was altered to give the impression that the price of the car was only 7,500 euros, equivalent to USD 8,350. The diplomat, who spoke anonymously to Reuters, explained, “When I checked, I realised they were talking about a slightly lower price.” Most comparable automobiles’ asking prices in Europe can be found in the low five figures. The attack has been attributed to APT29 due to how it was carried out, the software used, and the degree to which it resembled previous attacks carried out by the same group. A connection has been made between the Russian foreign intelligence organisation, the SVR, and the hacking group known as APT29. Reuters could not speak with 21 of the 22 missions that appear to have been assaulted because they refused to do so. The United States Department of State noted the attempted break-in but determined that none of the systems within the office were compromised due to the incident. The Polish official made it evident that the vehicle had yet to be purchased. Now, instead of trying to sell it to an official from another country, the person is attempting to sell it in Poland. According to the envoy’s comments to Reuters, “After this, I don’t want to have any more problems.” This incident should serve as a cautionary tale that diplomatic offices worldwide are constantly at risk of being attacked via cyberspace. A straightforward email attachment like a Word document could significantly threaten the system’s safety. Many foreign workers may receive a refresher course on handling emails with wings that appear to be safe right now.
