Exclusive: Russian hackers use fake luxury car ads to target diplomats
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Sarah Grillo/Axios
Russian military intelligence hackers have been embedding luxury car advertisements with credential-harvesting malware in a likely attempt to dupe diplomats, according to new research exclusively shared with Axios.
Why it matters: Targeting diplomats' devices can give Russian cyber spies access to state secrets and get ahead of any schemes designed to undermine the Kremlin's own agenda.
Zoom in: Researchers in Palo Alto Networks' Unit 42 threat intelligence team have found evidence that a Russian hacking group has been using luxury car ads as a phishing lure to infect devices with malware.
- The new scheme started as early as March, and it likely targeted diplomats — although researchers don't know how many people may have been targeted.
- In one example, the hackers created an online advertisement for a 2009 Audi Q7 Quattro SUV for about 5,500 Euros.
- The post is advertising a "Diplomatic Car for Sale" and includes contact information and six images of the cars from various angles.
- The images and advertisement website are both hosted on legitimate services, making it harder for traditional cyber tools to flag them as malicious and for organizations to block access to these sites.
- Researchers attributed the attack to Fighting Ursa, which other cybersecurity firms refer to as APT28 or Fancy Bear, based on the online infrastructure and the malware used in the campaign.
The intrigue: Diplomats are often sent on new assignments with little notice, meaning they're constantly looking to buy and sell cars with diplomatic plates as quickly as possible, Michael Sikorski, vice president of threat intelligence and chief technology officer at Unit 42, told Axios.
- This makes car advertisements a ripe target for malicious actors trying to targeting diplomats.
Between the lines: Russian hackers launched a similar hacking campaign last year against diplomats in at least 22 of the more than 80 foreign missions based in Kyiv, Ukraine.
- In that scheme, Palo Alto Networks researchers found that a different Russian hacking group — known as Cloaked Ursa, Cozy Bear or APT29 — had used fake BMW car ads as a phishing lure to potentially infect their devices with malware.
- The latest scheme doesn't appear to be related, but Palo Alto Networks says it shows how Russian state-sponsored hacking teams trade tactics and techniques.
Threat level: Fighting Ursa is known to recycle their tools and techniques, even after researchers report on them publicly, Andy Piazza, senior director of threat intelligence at Palo Alto Networks, told Axios.
- "If they're still working, they're not going to go invest money somewhere else," Piazza said.
