The Russian intelligence-backed advanced persistent threat (APT) group known variously as APT29, Nobelium or Cozy Bear, arguably most famous for the 2020/1 SolarWinds incident, has been caught trying to ensnare diplomats working in Ukraine with a novel lure – a second-hand BMW 5 Series saloon car being sold by a Polish embassy official.
According to new intelligence from Palo Alto Network’s Unit 42 – which tracks the operation as Cloaked Ursa – the group more usually spoofs official diplomatic notices and correspondence when targeting foreign missions, but in this instance it has pivoted to leveraging something that all newly placed diplomats need: an official car.
“The nature of service for professional diplomats is often one that involves a rotating lifestyle of short- to mid-term assignments at postings around the world. Ukraine presents newly assigned diplomats with unique challenges, being in an area of armed conflict,” the Unit 42 team wrote.
“How do you ship personal goods, procure safe accommodations and services, and arrange for reliable personal transportation while in a new country? The sale of a reliable car from a trusted diplomat could be a boon for a recent arrival, which Cloaked Ursa viewed as an opportunity.”
The initial legitimate email was sent by a staffer at Poland’s Ministry of Foreign Affairs to various contacts in Kyiv in April, advertising the sale of their car, presumably because they were relocating back to Poland. Cozy Bear likely swiped the email and its attached Microsoft Word flyer – named BMW 5 for sale in Kyiv – 2023.docx – from a compromised server belonging to one of its victims.
The legitimate email contained a number of shortened URL links leading to photos of the vehicle, which the Russian spooks repurposed to redirect to a malicious website so that when a victim attempted to view any of the photos, which were now actually Windows shortcut files disguised as .png images, the image would display on their screen, but Cozy Bear’s malware would execute in the background.
It said the campaign could be attributed to Cozy Bear with a high degree of confidence thanks to overlaps with other known campaigns and targets, known tactics, techniques and procedures (TTPs), and code overlap with malwares used by the group.
The group is known to have targeted at least a quarter of the foreign missions located in Kyiv, which the Palo Alto team said was “staggering in scope” for a clandestine APT operation.
The embassies known to have been targeted are those of Albania, Argentina, Canada, Cyprus, Denmark, Estonia, Greece, Iraq, Ireland, Kuwait, Kyrgyzstan, Latvia, Libya, the Netherlands, Norway, Slovakia, Spain, Sudan, Turkey, Turkmenistan, the US and Uzbekistan.
Unit 42 said that in approximately 80% of observed cases, Cozy Bear used publicly available embassy email addresses, and in the other 20% of cases unpublished email addressed collected via other means. It is likely, said the team, that the APT group was trying to increase the odds of their emails being reviewed by a low-level staffer and passed to individuals likely to be interested in buying a car.
In at least one of the embassies, this was done via group emails hosted on a free online webmail service, which while they do offer some security protection, runs the risk of hindering an organisation’s ability to observe and understand the threats it faces, and increases its potential attack surface.
One might reasonably consider this a big security failing for a government body, but Unit 42 did not disclose which of the targeted countries’ missions was being so foolhardy as to turn a blind eye to the use of external email services in an active cyber warzone.
Diplomatic missions are a high-value target for Russian intelligence, and 16 months into the war in Ukraine, it is easy to see why Cozy Bear might have been tasked with infiltrating such organisations.
Cozy Bear itself is known to be a highly adept and exceptionally innovative group, and continuously modifies its approaches to enhance its effectiveness, seizing any opportunity it can find.
As a result, government bodies likely to be targeted by the group need to remain extra vigilant, and for those posting officials to Kyiv or elsewhere in Ukraine, should enhance both the security training offered to new staffers, and take extra technical precautions when it comes to matters such as clicking on shortened URLs and downloading attachments.