SolarWinds Attackers Dangle BMWs to Spy on Diplomats

Cloaked Ursa/Nobelium gets creative by appealing to the more personal needs of government employees on foreign missions in Kyiv.

The Russia-backed group behind the infamous SolarWinds attack is targeting an astonishing number of foreign diplomats working at embassies in the Ukraine with lures that are a bit more personal than the traditional political fare normally used to entice them to click on malicious links.
Researchers from Palo Alto Networks Unit 42 observed the group — which they track as
Cloaked Ursa
but which is better known as Nobelium/APT29 — a vehicle to get around in.
The initial lure in the campaign appeared to use a legitimate flyer for the sale of a used BMW sedan in Kyiv that was spread to various embassies by a diplomat within the Polish ministry of Foreign Affairs. While it seems fairly innocent, the sale of a reliable car from a trusted diplomat — especially in a war-torn area like Ukraine — could definitely draw the attention of a new arrival to the scene, the researchers noted.
This is something that Cloaked Ursa clocked as an opportunity, repurposing the flyer to create its own illegitimate one, which the group sent to multiple diplomatic missions two weeks later as bait in its malware campaign. The group included in the message a malicious link, saying that targets can find more photos of the car there. Victims find more than just photos if they click on the link, which executes malware silently in the background while the selected image displays on the victims screen.
The payload of the campaign is a JavaScript-based malware that gives attackers an espionage-ready backdoor into the victims system, and the ability to load further malicious code through a command-and-control (C2) connection.
The advanced persistent threat (APT) showed premeditation to generate its target list, using publicly available embassy email addresses for about 80% of the targeted victims, and unpublished email addresses not found on the surface Web for the other 20%. This was likely to maximize their access to desired networks, according to Unit 42.
The researchers observed Cloaked Ursa wielding the campaign against 22 of 80 foreign missions in Ukraine, but the actual number of targets is likely higher, they said.
This is staggering in scope for what generally are narrowly scoped and clandestine APT operations, according to Unit 42.
A Change in Malware Cyber Tactics
Its a strategic pivot from using subject matter related to their jobs as bait, researchers revealed in
a blog post
published this week.
These unconventional lures are designed to entice the recipient to open an attachment based on their own needs and wants instead of as part of their routine duties, the researchers wrote.
This change in lure tactics could be a move to increase the success factor of the campaign not only to compromise the initial target but also others within the same organization, thus extending its reach, the researchers suggested.
The lures themselves are broadly applicable across the diplomatic community, and thus are able to be sent and forwarded to a greater number of targets, they wrote in the post. They’re also more likely to be forwarded to others inside an organization, as well as within the diplomatic community.
Cloaked Ursa/Nobelium/APT29, is a state-sponsored group associated with Russias Foreign Intelligence Service (SVR), is perhaps best known for the
SolarWinds attack
, which started with a backdoor discovered in December 2020 that spread to some 18,000 organizations via infected software updates — and is still having an impact across the software supply chain.
The group has remained consistently active since then, mounting a series of
attacks
that align with Russias overall geopolitical stance against
various foreign ministries and diplomats
, and the US government. A common denominator across incidents is a
sophistication in both tactics and custom malware development
.
Unit 42 noted similarities to other known campaigns from Cloaked Ursa, including the targets of the attack, and code overlap with other known malware from the group.
Mitigating APT Cyberattacks on Civil Society
The researchers offered some advice for people on diplomatic missions to avoid falling prey to sophisticated and clever attacks by APTs like Cloaked Ursa. One is that administrators train newly assigned diplomats on the cybersecurity threats for the region prior to their arrival.
Government or corporate employees in general should always be cautious of downloads, even from seemingly innocuous or legitimate sites, as well as take extra precautions to observe URL redirection when using URL-shortening services, as this can be a hallmark of a phishing attack.
People also should pay close attention to emails attachments to avoid being a victim of phishing, the researchers said. They should verify file extension types to ensure that the file they are opening is the one they want, avoiding files with extensions that dont match or attempt to obfuscate the nature of the file.
Finally, the researchers suggested that diplomatic employees disable JavaScript as a rule, which would render any malware based in the programming language unable to execute.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
SolarWinds Attackers Dangle BMWs to Spy on Diplomats