The state-sponsored hacking group known as APT29, also referred to as Nobelium or Cloaked Ursa, has been employing unconventional tactics to deceive Ukrainian diplomats. Instead of relying on typical methods, they have resorted to using car listings as lures to entice their targets into clicking on Malicious links that deliver malware.

APT29, which has ties to the Russian Government’s Foreign Intelligence Service (SVR), has been involved in various cyberespionage campaigns that have targeted individuals of high interest worldwide. Over the past two years, their focus has shifted towards NATO, EU, and Ukrainian targets. Their modus operandi involves employing Phishing emails and documents related to foreign policy topics, as well as creating deceptive websites, to infect their intended victims with stealthy backdoors.

According to a recent report published by Palo Alto Network’s Unit 42 team, APT29 has evolved their phishing tactics by personalizing the lures in their phishing emails. In a notable instance spotted by Unit 42, which began in May 2023, the threat actors utilized a BMW car advertisement to target diplomats in Kyiv, the capital of Ukraine.

Diplomats’ email addresses were targeted with a deceitful sales flier, mimicking a genuine car sale previously circulated by a Polish diplomat making preparations to depart from Ukraine.  

When the recipients clicked on the embedded link promising “more high-quality photos,” they were redirected to an Html page that delivered malicious ISO file payloads via HTML smuggling.

HTML smuggling serves as a deceptive tactic employed in phishing campaigns. This method leverages the power of HTML5 and JavaScript to camouflage malicious payloads within encoded strings found within an HTML attachment or webpage. When a user opens the attachment or clicks on a link, these strings are decoded by the browser, revealing the hidden threat.

By leveraging this technique, the malicious code evades security software as it remains obfuscated until rendered in the browser.

The ISO file, which appears to contain nine PNG images, actually comprises LNK files that initiate the infection chain upon being opened. These LNK files, disguised as PNG images, execute a legitimate executable using DLL side-loading to inject shellcode into the current process in memory.

Unit 42’s report indicates that this campaign has targeted at least 22 out of the 80 foreign missions located in Kyiv, including diplomatic representations of the United States, Canada, Turkey, Spain, Netherlands, Greece, Estonia, and Denmark. However, the precise infection rate remains unknown.

Approximately 80% of the email addresses that received the malicious flier were publicly available online, while APT29 likely obtained the remaining 20% through compromised accounts and intelligence collection.

Another recent example of APT29 capitalizing on real-world incidents for phishing purposes involved a PDF document sent to the Turkish Ministry of Foreign Affairs (MFA) earlier in 2023. This PDF purported to offer guidance on humanitarian assistance following the earthquake that struck southern Turkey in February. It is believed that the malicious PDF was shared within the MFA’s employees and subsequently forwarded to other Turkish organizations.

Given the ongoing conflict in Ukraine and the evolving landscape within NATO, it is anticipated that Russian cyber espionage groups, including APT29, will persist in their efforts to target diplomatic missions.