Polish diplomat’s BMW advert was turned into lure by Russian hackers

Receive free Cyber warfare updates

We’ll send you a myFT Daily Digest email rounding up the latest Cyber warfare news every morning.

Hackers tied to Russia’s spy services have hijacked a Polish diplomat’s advertisement to sell his BMW, spreading malware in an attempt to infiltrate foreign embassies’ networks in Ukraine.

The Kyiv-based diplomat emailed an advertisement about his 2011 BMW 5 series car to dozens of other embassies this spring.

Within two weeks, the hackers had repurposed the advertisement, dropped the price and laced the notice with malware, according to researchers at Unit 42 — part of Californian cyber security firm Palo Alto Networks.

The goal was to entice recipients to click through the images of the €7,500 navy blue sedan with leather trim and a two-litre diesel engine, and so allow the hackers to surreptitiously steal data as well as future access to embassies’ networks.

The researchers say those responsible — who sent the repurposed ad to 22 diplomatic missions in Kyiv — were part of a hacking unit nicknamed Cozy Bear that is tied to Russia’s Foreign Intelligence Service (SVR).

Western officials have tied Cozy Bear to the breaches of the US Democratic National Committee in 2016 and the Republican National Committee in 2021.

Cozy Bear used the BMW ad to hide the so-called spear-phishing link to install a back door into embassies’ networks, a sign of the sophistication of Moscow’s espionage efforts, the researchers say.

Spear-phishing involves creating alluring links that even careful recipients may be tricked into clicking on. Previous examples included an email this year to embassies in Kyiv that pretended to give details of Turkey’s earthquake relief efforts.

“It’s all about getting their hooks in — especially in Ukraine . . . where they want to get their hooks to the maximum and then make sense of it later,” said Michael Sikorski, Unit 42 vice-president, who labelled the hackers “pretty impressive”.

It is unknown whether any of the targeted missions were successfully infiltrated. A sweep of US systems in Kyiv this month showed nothing, said two people familiar with the matter.

Western cyber security companies, including Palo Alto Networks, Microsoft, Dragos and others have contracts to protect Ukrainian customers. This typically involves observing much of the data moved through networks.

Sikorski said that, as the malware-laced emails circulated, Unit 42 researchers noted something awry with the attachment and warned the targeted missions within days. He declined to discuss the details of those conversations.

The Polish diplomat declined to comment, as did the Polish Embassy. The car remains unsold.

Russian hackers have flooded Ukraine’s networks since before the full-blown invasion in February 2022, wielding some of the most sophisticated malware seen by western researchers.

They cut off access to a satellite internet system sold by a US company and wiped data from state-owned train and immigration systems in the early days of the war.

US and European security companies, sometimes paid for by Ukraine’s allies, have helped thwart assaults on the country’s energy grid, military systems and the banking network.

But the Russian hackers’ phishing skills have been an issue of concern. One email intercepted last year contained a spreadsheet promising the details of Ukraine’s dead and wounded soldiers.

It purported to have been sent in error, making it difficult for recipients to resist clicking on what promised to be a painful national secret.

Sustained access to an embassy’s emails created a new risk, said Sikorski, now that hackers can repurpose AI systems such as ChatGPT to train off the style of existing conversations.

“We now know that they probably have access to people’s inboxes, and they can then even train off the conversations you’ve had with people historically,” he said.

Additional reporting by Christopher Miller in Kyiv