Belarus hackers target foreign diplomats with help of local ISPs, researchers say


Share post:

Hackers with apparent links to the Belarusian government have been targeting foreign diplomats in the country for nearly 10 years, according to security researchers.

On Thursday, antivirus firm ESET published a report that details the activities of a newly discovered government hacking group that the company has dubbed MoustachedBouncer. The group has likely been hacking or at least targeting diplomats by intercepting their connections at the internet service provider (ISP) level, suggesting close collaboration with Belarus’ government, according to ESET.

Since 2014, MoustachedBouncer has targeted at least four foreign embassies in Belarus: two European nations, one from South Asia, and another from Africa.

“The operators were trained to find some confidential documents, but we’re not sure exactly what they were looking for,” ESET researcher Matthieu Faou told TechCrunch in an interview ahead of his talk at the Black Hat cybersecurity conference in Las Vegas. “They are operating only inside Belarus against foreign diplomats. So we have never seen any attack by MustachedBouncer outside of Belarus.”

ESET said it first detected MoustachedBouncer in February 2022, days after Russia invaded Ukraine, with a cyberattack against specific diplomats in the embassy of a European country “somehow involved in the war,” Faou said, declining to name the country.

By tampering with network traffic, the hacking group is able to trick the target’s Windows operating system into believing it’s connected to a network with a captive portal. The target is then redirected to a fake and malicious site masquerading as Windows Update, which warns the target that there are “critical system security updates that must be installed,” according to the report.

It’s not clear how MoustachedBouncer can intercept and modify traffic — a technique known as an adversary-in-the-middle, or AitM — but ESET researchers believe it’s because Belarusian ISPs are collaborating with the attacks, allowing the hackers to use a lawful intercept system similar to the one Russia deploys, known as SORM.

The existence of this surveillance system has been known for years. In Belarus, all telecom providers “must make their hardware compatible with the SORM system,” according to a 2016 Amnesty International report.

Once ESET researchers found the attack last February and analyzed the malware used, they were able to discover other attacks — the oldest dating back to 2014 — although there is no trace of them between 2014 and 2018, according to Faou.

“They stayed under the radar for a long time. And so it means that they’re quite successful if they were able to compromise high profile targets such as diplomats, while no one really spoke about them, and there have been very few malware samples available for analysis,” he said. “It shows that they’re quite careful when doing the operations.”

Do you have information about this hacking group? Or other advanced persistent threats (APTs)? We’d love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Wire @lorenzofb, or email You also can contact TechCrunch via SecureDrop.

Source link

Lisa Holden
Lisa Holden
Lisa Holden is a news writer for LinkDaddy News. She writes health, sport, tech, and more. Some of her favorite topics include the latest trends in fitness and wellness, the best ways to use technology to improve your life, and the latest developments in medical research.

Recent posts

Related articles

TechCrunch+ Roundup: SBF’s trial opens, Series A tips, how to roll out AI features

Follow-on financing has become harder to raise, which leaves startups striving for a Series A in a...

Gmail to enforce harsher rules in 2024 to keep spam from users’ inboxes

Google today is announcing a series of significant changes to how it handles email from bulk senders...

Qobra raises $10.5 million for its real-time sales compensation tool

French startup Qobra has raised a $10.5 million Series A funding round (€10 million) led by Singular...

LinkedIn goes big on new AI tools for learning, recruitment, marketing and sales, powered by OpenAI

LinkedIn — the Microsoft-owned social platform for those networking for work or recruitment — is now 21...

Adapting to a world with higher interest rates — a guide for startups

Mohit Agarwal Contributor Mohit Agarwal is a leader at a global management consulting firm based in New York, where...

Ten Key Labs wants to simplify managing equity for startups

Amar Varma, a three-time entrepreneur and VC, experienced firsthand the challenge of dealing with administering equity stakes...

HCVC is back with a new $75 million deep tech fund

Paris-based VC firm HCVC just announced the final closing of its second fund simply called “Fund II”....

Cloaked manages your logins with proxy emails, phone numbers and a built-in password manager

Boston-based privacy and security startup Cloaked, launched its apps today to let users create unique proxy emails,...