SolarWinds Attackers Dangle BMWs to Spy on Diplomats

Cloaked Ursa/Nobelium gets creative by appealing to the more personal needs of government employees on foreign missions in Kyiv.

Image shows a blue and yellow Ukrainian flag flying on a flagpole in the wind
Source: Peter Treanor via Alamy Stock Photo

The Russia-backed group behind the infamous SolarWinds attack is targeting "an astonishing number" of foreign diplomats working at embassies in the Ukraine with lures that are a bit more personal than the traditional political fare normally used to entice them to click on malicious links.

Researchers from Palo Alto Networks' Unit 42 observed the group — which they track as Cloaked Ursa but which is better known as Nobelium/APT29 — a vehicle to get around in.

The initial lure in the campaign appeared to use a legitimate flyer for the sale of a used BMW sedan in Kyiv that was spread to various embassies by a diplomat within the Polish ministry of Foreign Affairs. While it seems fairly innocent, the sale of a reliable car from a trusted diplomat — especially in a war-torn area like Ukraine — could definitely draw the attention of a new arrival to the scene, the researchers noted.

This is something that Cloaked Ursa clocked as an opportunity, repurposing the flyer to create its own illegitimate one, which the group sent to multiple diplomatic missions two weeks later as bait in its malware campaign. The group included in the message a malicious link, saying that targets can find more photos of the car there. Victims find more than just photos if they click on the link, which executes malware silently in the background while the selected image displays on the victim's screen.

The payload of the campaign is a JavaScript-based malware that gives attackers an espionage-ready backdoor into the victim's system, and the ability to load further malicious code through a command-and-control (C2) connection.

The advanced persistent threat (APT) showed premeditation to generate its target list, using publicly available embassy email addresses for about 80% of the targeted victims, and unpublished email addresses not found on the surface Web for the other 20%. This was likely "to maximize their access to desired networks," according to Unit 42.

The researchers observed Cloaked Ursa wielding the campaign against 22 of 80 foreign missions in Ukraine, but the actual number of targets is likely higher, they said.

"This is staggering in scope for what generally are narrowly scoped and clandestine APT operations," according to Unit 42.

A Change in Malware Cyber Tactics

It's a strategic pivot from using subject matter related to their jobs as bait, researchers revealed in a blog post published this week.

"These unconventional lures are designed to entice the recipient to open an attachment based on their own needs and wants instead of as part of their routine duties," the researchers wrote.

This change in lure tactics could be a move to increase the success factor of the campaign not only to compromise the initial target but also others within the same organization, thus extending its reach, the researchers suggested.

"The lures themselves are broadly applicable across the diplomatic community, and thus are able to be sent and forwarded to a greater number of targets," they wrote in the post. "They’re also more likely to be forwarded to others inside an organization, as well as within the diplomatic community."

Cloaked Ursa/Nobelium/APT29, is a state-sponsored group associated with Russia's Foreign Intelligence Service (SVR), is perhaps best known for the SolarWinds attack, which started with a backdoor discovered in December 2020 that spread to some 18,000 organizations via infected software updates — and is still having an impact across the software supply chain.

The group has remained consistently active since then, mounting a series of attacks that align with Russia's overall geopolitical stance against various foreign ministries and diplomats, and the US government. A common denominator across incidents is a sophistication in both tactics and custom malware development.

Unit 42 noted similarities to other known campaigns from Cloaked Ursa, including the targets of the attack, and code overlap with other known malware from the group.

Mitigating APT Cyberattacks on Civil Society

The researchers offered some advice for people on diplomatic missions to avoid falling prey to sophisticated and clever attacks by APTs like Cloaked Ursa. One is that administrators train newly assigned diplomats on the cybersecurity threats for the region prior to their arrival.

Government or corporate employees in general should always be cautious of downloads, even from seemingly innocuous or legitimate sites, as well as take extra precautions to observe URL redirection when using URL-shortening services, as this can be a hallmark of a phishing attack.

People also should pay close attention to emails attachments to avoid being a victim of phishing, the researchers said. They should verify file extension types to ensure that the file they are opening is the one they want, avoiding files with extensions that don't match or attempt to obfuscate the nature of the file.

Finally, the researchers suggested that diplomatic employees disable JavaScript as a rule, which would render any malware based in the programming language unable to execute.

About the Author(s)

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights