Irish Embassy in Kyiv targeted by Russian state hackers using used car advert

Phishing attempt using a used car advert did not breach cybersecurity of Irish Embassy in Ukrainian capital, Minister says

The advertisement: Russian operatives gained access to a legitimate advertisement for a used BMW car that was being sold by a Polish diplomat, who had emailed colleagues in other embassies about the vehicle
The advertisement: Russian operatives gained access to a legitimate advertisement for a used BMW car that was being sold by a Polish diplomat, who had emailed colleagues in other embassies about the vehicle

Irish diplomats in Kyiv were targeted by hackers linked to a Russian intelligence agency as part of a “phishing” exercise that piggybacked on an advertisement for a BMW car.

Ossian Smyth, the Minister of State with responsibility for cybersecurity, confirmed that the Irish diplomatic mission in Kyiv was one of 22 foreign embassies targeted earlier this summer by a group of hackers known as Cozy Bear, which has been linked to Russia’s foreign intelligence service.

Mr Smyth said the hacking attempt was not successful and the Irish mission’s systems were not compromised.

“I have been reassured by the Department of Foreign Affairs that they successfully intercepted the attack and that no harm was done,” he said. “The department also informed the National Cyber Security Centre about it once it happened.”

READ MORE

The attempt to infiltrate the systems of a large number of embassies in the Ukrainian capital was uncovered by Unit 42 researchers from the cybersecurity company Palo Alto Network, which revealed details of the cybercrime last month.

The Russian operatives gained access to a legitimate advertisement for a used BMW car that was being sold by a Polish diplomat, who had emailed colleagues in other embassies about the vehicle.

The Cozy Bear hackers gained access illegally to the email server and repurposed the advertisement so it could be used for a phishing attack. When recipients followed a link allowing them to view better quality pictures of the BMW, it activated malware that operated invisibly in the background. This gave the hackers a means of accessing the IT systems in some of the diplomatic missions. It is unknown how many of the missions had their systems compromised by the attack.

The Unit 42 researchers said the breadth of the attack was “astonishing” and that the tools, software, programmes and modus operandi of the operation pointed to the Cozy Bear group. The researchers said it targeted dozens of individuals in 22 embassies via email.

The attack came to light when the Polish diplomat was contacted by a potential purchaser for his car, but stated a price that was lower than the one he had sought. The advertisement refashioned by the Russian hackers had reduced the price being sought for the car in order to get more people to open the email.

“The Department of Foreign Affairs in any country is the number one target for State-sponsored cyberattacks,” Mr Smyth said. “So they have to devote the most attention to the quality of their cyber defences. And that applies to Ireland as well.”

Mr Smyth said such attacks were becoming more regular.

“There are constant attempts attacking Irish networks and critical infrastructure, both at home and abroad. The National Cyber Security Centre would be aware of about 2,000 of these each year. It’s a constant thing that they have to deal with.”

He said Ireland had provided cybersecurity support to Ukraine worth €1 million in the past year. “It is part of our aid to Ukraine, part of our non-military aid to Ukraine to provide improved defensive capability to their cybersecurity function. And you know, it is an important thing.”

Harry McGee

Harry McGee

Harry McGee is a Political Correspondent with The Irish Times