Belarus hackers target foreign diplomats with help of local ISPs, researchers say
Hackers with apparent links to the Belarusian government have been targeting foreign diplomats in the country for nearly 10 years, according to security researchers.
On Thursday, antivirus firm ESET published a report that details the activities of a newly discovered government hacking group that the company has dubbed MoustachedBouncer. The group has likely been hacking or at least targeting diplomats by intercepting their connections at the internet service provider (ISP) level, suggesting close collaboration with Belarus’ government, according to ESET.
Since 2014, MoustachedBouncer has targeted at least four foreign embassies in Belarus: two European nations, one from South Asia, and another from Africa.
“The operators were trained to find some confidential documents, but we’re not sure exactly what they were looking for,” ESET researcher Matthieu Faou told TechCrunch in an interview ahead of his talk at the Black Hat cybersecurity conference in Las Vegas. “They are operating only inside Belarus against foreign diplomats. So we have never seen any attack by MustachedBouncer outside of Belarus.”
ESET said it first detected MoustachedBouncer in February 2022, days after Russia invaded Ukraine, with a cyberattack against specific diplomats in the embassy of a European country “somehow involved in the war,” Faou said, declining to name the country.
By tampering with network traffic, the hacking group is able to trick the target’s Windows operating system into believing it’s connected to a network with a captive portal. The target is then redirected to a fake and malicious site masquerading as Windows Update, which warns the target that there are “critical system security updates that must be installed,” according to the report.
It’s not clear how MoustachedBouncer can intercept and modify traffic — a technique known as an adversary-in-the-middle, or AitM — but ESET researchers believe it’s because Belarusian ISPs are collaborating with the attacks, allowing the hackers to use a lawful intercept system similar to the one Russia deploys, known as SORM.
The existence of this surveillance system has been known for years. In Belarus, all telecom providers “must make their hardware compatible with the SORM system,” according to a 2016 Amnesty International report.
Once ESET researchers found the attack last February and analyzed the malware used, they were able to discover other attacks — the oldest dating back to 2014 — although there is no trace of them between 2014 and 2018, according to Faou.
“They stayed under the radar for a long time. And so it means that they’re quite successful if they were able to compromise high profile targets such as diplomats, while no one really spoke about them, and there have been very few malware samples available for analysis,” he said. “It shows that they’re quite careful when doing the operations.”
Do you have information about this hacking group? Or other advanced persistent threats (APTs)? We’d love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Wire @lorenzofb, or email [email protected]. You also can contact TechCrunch via SecureDrop.