Russian hackers which are related to Foreign Intelligence Service of Russia (SVR) targeted dozens of diplomats from foreign embassies in Ukraine, using a fake ad for the sale of a used BMW car to hack into their computers, according to a statement issued today by cyber security company Palo Alto Networks.

The large-scale espionage activity targeted diplomats working in at least 22 of the roughly 80 foreign missions in the capital Kyiv of Ukraine, Palo Alto Networks Research Unit 42 analysts report in their report.

“The campaign began with an innocent and legitimate incident,” reads the report, available to Reuters.

“In mid-April, a Polish Foreign Ministry diplomat e-mailed several embassies a legitimate brochure advertising the sale of a used BMW located in Kiev.”

The Polish diplomat, who requested anonymity for security reasons, confirmed that he was the one who promoted his car ad online.

Hackers known as APT29, or “Pleasant Bear,” swooped in and copied that ad, added malware, and then sent it to dozens of other foreign diplomats working in Kyiv, Unit 42 said.

In 2021 US and UK intelligence agencies identified APT29 as an arm of Russia’s SRV Foreign Intelligence Service. SRV did not respond to Reuters’ request for comment on the hackers’ activity.

In April, Polish counterintelligence and cyber security agencies warned that the same group was linked to a “large-scale intelligence operation” against NATO, European Union and African countries.

Unit 42 investigators were able to trace the fake car ad’s connection to SVR because the hackers reused some tools and techniques previously associated with the spy agency.

“Diplomatic missions will always be a high-value espionage target,” the Unit 42 report states. “Sixteen months after the Russian invasion of Ukraine, intelligence surrounding Ukraine and allied diplomatic efforts is almost certainly a high priority for the Russian government”.

The used BMW

The Polish diplomat said he had sent the original ad to various embassies in Kiev and that someone had called him because the price seemed “attractive”.

“When I checked it, I realized they were talking about a slightly lower price,” the diplomat told Reuters.

The SVR hackers pretended in their fake version of the ad that they were selling the diplomat’s BMW at a lower price of 7,500 euros in an attempt to get more people to download the malware that would give them access to their computers, reports the Reuters.

The software in question, Unit 42 reported, was in the form of a photo album of used BMW cars. Attempts to open the photos would result in the computers of the target users being infected, the company analysts said in the report.

Twenty-one of the 22 embassies targeted by the hackers that Reuters contacted did not respond to requests for comment. It is unclear which embassies, if any, were breached by the hackers.

A State Department spokesperson said they were “aware of this activity and based on the Cybersecurity and Technology Directorate’s analysis determined that it did not affect State Department systems or accounts.”

As for the car, it is still available, the Polish diplomat told Reuters.

“I’ll probably try to sell it in Poland,” he said. “After what happened I don’t want to have any more problems.”