The widespread espionage activity targeted diplomats working in at least 22 of the roughly 80 foreign missions in Ukraine's capital, Kyiv, analysts at Palo Alto Networks' Unit 42 research division said in the report.
The act of espionage started with a legitimate ad for a used 2011 BMW 5-Series sedan from the F10 generation, which was shared via email by a Polish diplomat. Hackers from the Russian APT29 unit – nicknamed Cozy Bear – took notice, embedding malicious software in the unsuspecting leaflet before it reached the diplomats.
Reuters reports that the seller got a few calls about the vehicle, only to realize that the asking price on the leaflet had been further reduced to €7.5k ($8.3k) without his knowledge. It turns out that this price drop was done by Russian hackers in order to lure more diplomats into clicking the ad. The malicious software was integrated into a photo gallery of the used vehicle, infecting the PC of anyone that clicked on the link.
The ATP29 unit identified by the US and British agencies as a part of the Russian foreign intelligence service. The same group recently conducted a campaign against NATO, the EU, and Africa, using similar digital tools and techniques which eventually gave away their identity.
The seller who works at the Polish Ministry of Foreign Affairs didn’t reveal his identity but confirmed that the vehicle is still available. Speaking of which, the 12-year-old premium sedan has 266,000 km (165,295 miles) on the clock, and comes fitted with a 2.0-liter diesel powertrain mated to a manual gearbox. After all this mess, the owner now intends of selling the car in Poland, so he can avoid any extra drama.