A US-based cybersecurity firm has identified a cyber-attack by a Russian intelligence agency against embassies in Ukraine by hacking a used car advert, according to Reuters.

In April a Kyiv-based Polish diplomat sent out an emailed flyer to other embassies offering his second-hand BMW 5 series car for sale.

Screenshot of the “car for sale” advertisement

Analysts at the Palo Alto Networks’ Unit 42 research division identified that the original advertisement had been intercepted by the hacking group APT29 / Cozy Bear, which is allegedly affiliated to one or more Russian intelligence agencies.

Having intercepted the original legitimate email, the hackers copied it, embedded malicious software into the flyer and then sent their copy to a large number of foreign embassies in Kyiv.


They had lowered the original asking price in their version of the circular, which was sent as an attachment to the email in an attempt to encourage recipients to open it; the hackers software was concealed in one of the photos of the car. Once opened it would potentially infect their systems with Cozy Bear’s software giving the hackers control of their network.

A spokesperson for Unit 42 is quoted as saying: “This is staggering in scope for what generally are narrowly scoped and clandestine advanced persistent threat (APT) operations.” The acronym APT is often used to describe cyber-based espionage, sabotage or service disruption attacks by state-backed hacking groups.

Russian Pilot Betrays Colleagues Who Attacked Ohmatdyt Children’s Hospital in Kyiv
Other Topics of Interest

Russian Pilot Betrays Colleagues Who Attacked Ohmatdyt Children’s Hospital in Kyiv

The pilot forwarded documents to Ukraine related to the activities of his military unit as well as private photos of the command staff of the 22nd Heavy Bombing Aviation Division, HUR said.

APT29 has been linked to a number of attacks against NATO and European Union member embassies and foreign ministries through “spear-phishing” emails or links to infected websites. Its activities have been linked to both Russia’s foreign intelligence service (SVR) and its federal security service (FSB)

Researchers at Unit 42 believe that the fake car advertisement used tools and techniques that have been previously linked to the SVR.


Unit 42 told Reuters that “Diplomatic missions will always be a high-value espionage target. Sixteen months into the Russian invasion of Ukraine, intelligence surrounding Ukraine and allied diplomatic efforts are almost certainly a high priority for the Russian government.”

It is believed that individuals from 22 embassies received the email and all but one would not provide a comment when contacted by Reuters. There is no information on which, if any, of the targeted embassies were compromised.

The Polish diplomat who originally advertised the car commented: “I’ll try to sell it in Poland, probably…  I don’t want to have any more problems.”

To suggest a correction or clarification, write to us here
You can also highlight the text and press Ctrl + Enter