Belarus hackers target foreign diplomats with help of local ISPs, researchers say

Hackers with evident links to the Belarusian authorities person been targeting overseas diplomats successful the state for astir 10 years, according to information researchers.

On Thursday, antivirus steadfast ESET published a report that details the activities of a recently discovered authorities hacking radical that the institution has dubbed MoustachedBouncer. The radical has apt been hacking oregon astatine slightest targeting diplomats by intercepting their connections astatine the net work supplier (ISP) level, suggesting adjacent collaboration with Belarus’ government, according to ESET.

Since 2014, MoustachedBouncer has targeted astatine slightest 4 overseas embassies successful Belarus: 2 European nations, 1 from South Asia, and different from Africa.

“The operators were trained to find immoderate confidential documents, but we’re not definite precisely what they were looking for,” ESET researcher Matthieu Faou told TechCrunch successful an interrogation up of his speech astatine the Black Hat cybersecurity conference successful Las Vegas. “They are operating lone wrong Belarus against overseas diplomats. So we person ne'er seen immoderate onslaught by MustachedBouncer extracurricular of Belarus.”

ESET said it archetypal detected MoustachedBouncer successful February 2022, days aft Russia invaded Ukraine, with a cyberattack against circumstantial diplomats successful the embassy of a European state “somehow progressive successful the war,” Faou said, declining to sanction the country.

By tampering with web traffic, the hacking radical is capable to instrumentality the target’s Windows operating strategy into believing it’s connected to a web with a captive portal. The people is past redirected to a fake and malicious tract masquerading arsenic Windows Update, which warns the people that determination are “critical strategy information updates that indispensable beryllium installed,” according to the report.

It’s not wide however MoustachedBouncer tin intercept and modify postulation — a method known arsenic an adversary-in-the-middle, oregon AitM — but ESET researchers judge it’s due to the fact that Belarusian ISPs are collaborating with the attacks, allowing the hackers to usage a lawful intercept strategy akin to the 1 Russia deploys, known arsenic SORM.

The beingness of this surveillance strategy has been known for years. In Belarus, each telecom providers “must marque their hardware compatible with the SORM system,” according to a 2016 Amnesty International report.

Once ESET researchers recovered the onslaught past February and analyzed the malware used, they were capable to observe different attacks — the oldest dating backmost to 2014 — though determination is nary hint of them betwixt 2014 and 2018, according to Faou.

“They stayed nether the radar for a agelong time. And truthful it means that they’re rather palmy if they were capable to compromise precocious illustration targets specified arsenic diplomats, portion nary 1 truly spoke astir them, and determination person been precise fewer malware samples disposable for analysis,” helium said. “It shows that they’re rather cautious erstwhile doing the operations.”

Do you person accusation astir this hacking group? Or different precocious persistent threats (APTs)? We’d emotion to perceive from you. From a non-work device, you tin interaction Lorenzo Franceschi-Bicchierai securely connected Signal astatine +1 917 257 1382, oregon via Telegram and Wire @lorenzofb, oregon email [email protected]. You besides tin interaction TechCrunch via SecureDrop.