When the recipient clicks on the file promising more high-quality photos of the car for sale, they are redirected to a malicious domain. While the victim tries to see the photos, the malicious payload is executed in the background.
Palo Alto Networks’ Unit 42 researchers found a new phishing campaign in which the Cloaked Usra APT group targets diplomats in Kyiv, Ukraine. It is yet unclear whether the group has successfully achieved its target. Regardless, researchers believe that a staggering number of embassies have been targeted in this campaign, which makes it a sinister APT operation.
Campaign Details
Russian Foreign Intelligence Service hackers known as Cloaked Ursa (aka Nobelium, Cozy Bear, APT29, Midnight Blizzard and UAC-0029), are targeting diplomatic missions in Kyiv and have already targeted 22 out of the 80+ foreign missions in Kyiv.
Scope-wise, this is the biggest espionage effort from a Russian government-affiliated threat group. Unit 42 researchers suspect Cloaked Ursa’s involvement in this campaign because of the similarities between the group’s previous campaigns and their targets, usage of already known Cloaked Ursa TTPs, and code overlapping with previously used malware by the same group.
It is worth noting that Nobelium is the same group that was blamed for the large-scale cyber attack on SolarWinds. Last month, Microsoft warned of the group’s return and its campaign to target the defence sector in Europe and the United States.
Exploiting Old Car Sale Flyer to Phish Diplomats
Attackers have used a legitimate ad for a 2011 model BMW car to target diplomats. A Polish Ministry of Foreign Affairs diplomat sent this email flyer to different embassies in April 2023. It is an ad for selling a used BMW 5-series sedan in Kyiv and contains a file attachment (titled: BMW 5 for sale in Kyiv – 2023.docx). The ad claims a “very good condition, low fuel consumption” vehicle for sale for just 7500 euros.
The ad appears reliable because a trusted diplomat shared it. Therefore, it will surely attract foreign missions to Kyiv, considering the transportation issues they might face due to the current political environment.
The fake flyer was emailed on 4 May 2023 to multiple diplomatic missions in Kyiv. When the recipient clicks on the file promising more high-quality photos of the car for sale, they are redirected to a shortened URL (tly or tinyurlcom) of a legit website that Cloaked Ursa coopted for the campaign. While the victim tries to see the photos, the malicious payload (bmw.iso) is executed in the background.
According to their report, researchers observed two versions with slight differences. Cloaked Ursa used publicly available embassy email IDs to reach 80% of their targets, and the remaining 20% weren’t found on the internet as their email IDs were unpublished. In some cases, the email was sent to the victim’s work address, while most were sent to general email addresses recipients used for the embassy.
The Ever-Evolving Threat- Spear Phishing
APT groups are continually improving their attack tactics to ensure success. Spear phishing is one of their preferred tactics; they would do anything to entice targets. The BMW campaign proves that attackers consider diplomatic missions high-value targets for the Russian government as they can carry out espionage to obtain intelligence info on Ukraine.
Researchers suspect that Cloaked Ursa might have compromised the email server of one of the email recipients and repurposed it to be used as a phishing lure. This campaign can be dangerous since the lures have broad applicability in the diplomatic community and could be forwarded to more targets within and outside an organization.
Earlier in July, Hackread reported that BlackBerry researchers identified a cybercrime campaign launched by RomCom targeting Pro-Ukraine guests at the upcoming NATO Summit.
RELATED ARTICLES
- SmugX: Chinese Hackers Targeting Embassies in Europe
- NATO Data Stolen in Cyberattack on Portugal’s Armed Forces
- Military Satellite Access Sold on Russian Hacker Forum for $15k
- Hackers Deface Russian Sites on Ukraine Invasion Anniversary
- Ukraine Busts Hackers for Stealing 30M Accounts of EU Citizens