Contents:
Russian state-sponsored hacking group ‘APT29,’ also known as Nobelium or Cloaked Ursa, has employed innovative tactics to target diplomats in Ukraine, using car listings as unconventional lures.
APT29, which is associated with the Russian government‘s Foreign Intelligence Service (SVR), has a history of conducting cyberespionage campaigns worldwide, with a particular focus on NATO, EU, and Ukrainian entities. Their methods involve phishing emails, fabricated documents on foreign policy matters, and deceptive websites designed to deliver surreptitious malware.
More on the Campaign
Recently, Palo Alto Network’s Unit 42 team published a report revealing APT29’s evolution in phishing techniques, employing personalized lures in their malicious emails. In a recent operation observed, which began in May 2023, the threat actors employed a BMW car advertisement to target diplomats in Kyiv, the capital of Ukraine. The phishing email, sent to diplomats’ addresses, imitated a legitimate car sale previously circulated by a Polish diplomat preparing to leave Ukraine.
Upon clicking the embedded link claiming to provide additional high-quality photos, recipients were redirected to an HTML page that used HTML smuggling to deliver malicious ISO file payloads. HTML smuggling is a phishing method that leverages HTML5 and JavaScript to conceal encoded strings of malicious content within HTML attachments or webpages.
These strings are decoded by a web browser when the recipient opens the attachment or clicks the link, making it difficult for security software to detect the malicious code.
The ISO file, seemingly containing nine PNG images, actually comprised LNK files that triggered the infection chain. When the victim opened any of the LNK files masquerading as PNG images, a genuine executable file initiated DLL side-loading to inject shellcode into the current memory process.
Furthermore, according to researchers, at least 22 out of the 80 foreign missions in Kyiv, including those of the United States, Canada, Turkey, Spain, Netherlands, Greece, Estonia, and Denmark, were targeted in this campaign. The extent of the infection rate remains unknown. Approximately 80% of the targeted email addresses were publicly available online, while the remaining 20% were likely obtained through compromised accounts and intelligence gathering.
Known Embassies in Kyiv Targeted in BMW Campaign
|
|
|
APT29 has demonstrated a willingness to exploit real-world incidents for phishing purposes. Earlier in 2023, they sent a malicious PDF to the Turkish Ministry of Foreign Affairs (MFA), capitalizing on the timing of an earthquake in southern Turkey in February. The PDF, which purported to provide guidance on humanitarian assistance, was likely circulated among MFA employees and subsequently shared with other Turkish organizations.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube, for more cybersecurity news and topics.