New APT29 campaign sets sights on Western diplomats

BleepingComputer reports that Western diplomats in Ukraine, including those of the U.S., Canada, Spain, and the Netherlands, have been targeted by Russian state-backed hacking operation APT29, also known as Nobelium and Cloaked Ursa, in attacks using a BMW car advertisement that began in May. Attackers have sent a sale flier spoofing a legitimate car sale observed two weeks before a Polish diplomat's departure to the email addresses of diplomats that includes a link for "more high-quality photos," which when clicked would redirect to an HTML page leveraging HTML smuggling for malicious ISO payload distribution, according to a report from Palo Alto Networks' Unit 42 team. Included in the ISO file are LNK files posing as PNG images that eventually result in the deployment of an executable with shellcode injection capabilities. Researchers noted that real-world events have also been used by APT29 in attacking the Turkish Ministry of Foreign Affairs earlier this year.