A current Cozy Bear marketing campaign noticed the Russian APT group pivot to exploiting an advert for a used automotive because it focused diplomatic missions in Kyiv
By
-
Alex Scroxton,
Security Editor
Published: 12 Jul 2023 13:30
The Russian intelligence-backed superior persistent risk (APT) group recognized variously as APT29, Nobelium or Cozy Bear, arguably most well-known for the 2020/1 SolarWinds incident, has been caught attempting to ensnare diplomats working in Ukraine with a novel lure – a second-hand BMW 5 Series saloon automotive being bought by a Polish embassy official.
According to new intelligence from Palo Alto Network’s Unit 42 – which tracks the operation as Cloaked Ursa – the group extra often spoofs official diplomatic notices and correspondence when concentrating on overseas missions, however on this occasion it has pivoted to leveraging one thing that every one newly positioned diplomats want: an official automotive.
“The nature of service for professional diplomats is often one that involves a rotating lifestyle of short- to mid-term assignments at postings around the world. Ukraine presents newly assigned diplomats with unique challenges, being in an area of armed conflict,” the Unit 42 staff wrote.
“How do you ship personal goods, procure safe accommodations and services, and arrange for reliable personal transportation while in a new country? The sale of a reliable car from a trusted diplomat could be a boon for a recent arrival, which Cloaked Ursa viewed as an opportunity.”
The preliminary respectable e-mail was despatched by a staffer at Poland’s Ministry of Foreign Affairs to varied contacts in Kyiv in April, promoting the sale of their automotive, presumably as a result of they have been relocating again to Poland. Cozy Bear doubtless swiped the e-mail and its hooked up Microsoft Word flyer – named BMW 5 on the market in Kyiv – 2023.docx – from a compromised server belonging to one in every of its victims.
The respectable e-mail contained quite a few shortened URL hyperlinks resulting in images of the automobile, which the Russian spooks repurposed to redirect to a malicious web site in order that when a sufferer tried to view any of the images, which have been now truly Windows shortcut recordsdata disguised as .png photographs, the picture would show on their display screen, however Cozy Bear’s malware would execute within the background.
It stated the marketing campaign may very well be attributed to Cozy Bear with a excessive diploma of confidence due to overlaps with different recognized campaigns and targets, recognized ways, strategies and procedures (TTPs), and code overlap with malwares used by the group.
The group is understood to have focused no less than 1 / 4 of the overseas missions positioned in Kyiv, which the Palo Alto staff stated was “staggering in scope” for a clandestine APT operation.
The embassies recognized to have been focused are these of Albania, Argentina, Canada, Cyprus, Denmark, Estonia, Greece, Iraq, Ireland, Kuwait, Kyrgyzstan, Latvia, Libya, the Netherlands, Norway, Slovakia, Spain, Sudan, Turkey, Turkmenistan, the US and Uzbekistan.
Unit 42 stated that in roughly 80% of noticed circumstances, Cozy Bear used publicly out there embassy e-mail addresses, and within the different 20% of circumstances unpublished e-mail addressed collected through different means. It is probably going, stated the staff, that the APT group was attempting to extend the chances of their emails being reviewed by a low-level staffer and handed to people prone to be taken with shopping for a automotive.
In no less than one of many embassies, this was accomplished through group emails hosted on a free on-line webmail service, which whereas they do provide some safety safety, runs the danger of hindering an organisation’s capability to watch and perceive the threats it faces, and will increase its potential assault floor.
One may moderately take into account this a giant safety failing for a authorities physique, however Unit 42 didn’t disclose which of the focused nations’ missions was being so foolhardy as to show a blind eye to using exterior e-mail companies in an lively cyber warzone.
High-value targets
Diplomatic missions are a high-value goal for Russian intelligence, and 16 months into the battle in Ukraine, it’s straightforward to see why Cozy Bear may need been tasked with infiltrating such organisations.
Cozy Bear itself is understood to be a extremely adept and exceptionally modern group, and repeatedly modifies its approaches to boost its effectiveness, seizing any alternative it could possibly discover.
As a consequence, authorities our bodies prone to be focused by the group want to stay further vigilant, and for these posting officers to Kyiv or elsewhere in Ukraine, ought to improve each the safety coaching provided to new staffers, and take further technical precautions in the case of issues equivalent to clicking on shortened URLs and downloading attachments.
Read extra on Hackers and cybercrime prevention
-
(*5*)
cyber espionage
By: Alexander Gillis
Albania cuts diplomatic ties with Iran after cyber assault
By: Alex Scroxton
Cozy Bear targets MS 365 environments with new ways
By: Alex Scroxton
Russian cyber assaults on Ukraine pushed by authorities teams
By: Shaun Nichols
…. to be continued
Read the Original Article
Copyright for syndicated content material belongs to the linked Source : Computer Weekly – https://www.computerweekly.com/news/366544534/Cozy-Bear-lures-victims-with-used-BMW-5-Series