Get free cyberwarfare updates
We’ll send you a file myFT Daily Digest Rounding email to the latest Cyber war News every morning.
Hackers linked to Russian spy services hijacked a Polish diplomat’s advertisement for the sale of his BMW, and deployed malware in an attempt to infiltrate foreign embassies’ networks in Ukraine.
The Kiev-based diplomat sent an e-mail announcement about his 2011 BMW 5 Series to dozens of other embassies this spring.
Within two weeks, the hackers reused the ad, dropped the price and associated the notification with malware, according to researchers at Unit 42 — part of the California-based cybersecurity firm Palo Alto Networks.
The goal was to lure recipients into clicking pictures of the €7,500 dark blue sedan with leather trim and a 2-liter diesel engine, thus allowing hackers to surreptitiously steal data as well as future access to embassy networks.
Researchers say the officials — who sent the forwarded ad to 22 diplomatic missions in Kiev — were part of a hacking unit called Cozy Bear linked to Russia’s foreign intelligence service (SVR).
Western officials have linked Cozy Bear to abuses by the US Democratic National Committee in 2016 and the Republican National Committee in 2021.
Cozy Bear used a BMW ad to disguise an alleged spear-phishing link to install a backdoor into embassy networks, in a sign of the sophistication of Moscow’s espionage efforts, researchers say.
Spear-phishing involves creating enticing links that even keen recipients might be tricked into clicking. Previous examples included an email this year to the embassies in Kiev in which it pretended to provide details of earthquake relief efforts in Turkey.
“It’s all about getting hooked — especially in Ukraine . . .,” said Michael Sikorsky, deputy chief of Unit 42, who called the hackers “impressive.”
It is not known if any of the targeted missions were successfully hacked. Two people familiar with the matter said a scan of US systems in Kiev this month turned up nothing.
Western cybersecurity firms, including Palo Alto Networks, Microsoft, Dragos, and others have contracts to protect Ukrainian clients. This usually involves monitoring a lot of data transmitted over networks.
With emails containing malware circulating, Sikorsky said, Unit 42 researchers noticed something odd at the facility and alerted target missions within days. He declined to discuss the details of those talks.
The Polish diplomat declined to comment, as did the Polish embassy. The car is still not sold.
Russian hackers have flooded Ukraine’s networks since before the full-scale invasion in February 2022, using some of the most sophisticated malware Western researchers have seen.
They cut off access to a satellite internet system sold by an American company and wiped data from the state-owned train and immigration systems in the early days of the war.
American and European security firms, sometimes paid by Ukraine’s allies, have helped thwart attacks on the country’s energy grid, military systems and banking network.
But the Russian hackers’ phishing skills were a cause for concern. One of the emails intercepted last year contained a spreadsheet promising details of dead and wounded Ukrainian soldiers.
It was allegedly sent by mistake, making it hard for recipients to resist clicking on what promises to be a painful national secret.
Constant access to embassy emails created a new risk, Sikorsky said, as hackers can now reuse AI systems like ChatGPT to train the style of existing conversations.
“Now we know that they probably have access to people’s inboxes, and they can then rehearse the conversations you’ve had with people throughout history,” he said.
Additional reporting by Christopher Miller in Kiev
“Professional web geek. Alcohol fan. Devoted zombie trailblazer. Certified social media lover. Amateur creator. Friendly food nerd.”