Russian hackers used an advertisement for a cheap BMW to entice diplomatic staff in Ukraine

According to a cybersecurity company study released on Wednesday, hackers thought to be affiliated with Russia’s foreign intelligence agency targeted dozens of diplomats at embassies in Ukraine with a bogus used vehicle advertisement in an effort to access their computers.
The extensive espionage activity, according to researchers at Palo Alto Networks’ (NASDAQ:PANW) Unit 42 research group, targeted diplomats working in at least 22 of the roughly 80 foreign missions in Kyiv, the capital of Ukraine.


The revelation, which was initially reported by Reuters, stated that “the campaign began with an innocent and legitimate event.”

A diplomat from the Polish Ministry of Foreign Affairs circulated a valid flyer promoting the sale of a used BMW 5-series automobile situated in Kyiv to many embassies in the middle of April 2023.

The Polish envoy, who requested anonymity out of concern for his security, acknowledged that his advertisement was responsible for the digital breach.

APT29 or “Cozy Bear” hackers intercepted and copied the flyer, infected it with dangerous software, and then forwarded it to numerous additional foreign diplomats stationed in Kyiv, according to Unit 42.

The report utilized the acronym commonly used to denote state-sponsored cyberespionage organizations, “this is staggering in scope for what generally are narrowly scoped and clandestine APT operations.”

The foreign intelligence service of Russia, the SVR, was revealed to be the source of APT29 by American and British intelligence agencies in 2021. An inquiry from Reuters for comment regarding the hacking campaign received no response from the SVR.

The same outfit had carried out a “widespread intelligence campaign” against NATO member states, the European Union, and Africa, according to a warning issued by Polish counterintelligence and cybersecurity authorities in April.

Due to the hackers’ repeated use of specific tools and techniques that have been linked to the intelligence agency in the past, researchers at Unit 42 were able to link the false vehicle advertisement to the SVR.

The Unit 42 study stated that “diplomatic missions will always be a high-value espionage target.” Sixteen months after Russia invaded Ukraine, the Russian government almost probably places a high priority on gathering intelligence about Ukraine and its allies’ diplomatic initiatives.


The Polish ambassador claimed that after sending the original advertisement to several embassies in Kiev, he received a call from someone who thought the price was “attractive.”

The ambassador told Reuters, “When I checked, I realized they were talking about a slightly lower price.”

SVR hackers, it turns out, had listed the diplomat’s BMW for a lower price – 7,500 euros – in their fake version of the advert, in an attempt to encourage more people to download malicious software that would give them remote access to their devices, Reuters found.

Unit 42 claimed that the program was a photo album of the pre-owned BMW. The study stated that attempts to access those pictures would have contaminated the target’s computer.

When contacted by Reuters, 21 of the 22 embassies that the hackers targeted declined to respond. Which embassies, if any, had been penetrated was unclear.

According to a representative for the U.S. State Department, the agency was “aware of the activity and based on the Directorate of Cyber and Technology Security’s analysis found that it did not affect Department systems or accounts.”

In relation to the car, the Polish envoy informed Reuters that it was still available:

I’ll probably try to sell it in Poland,” he remarked. “I don’t want to have any more issues after this,” she said.