Suspected Belarusian Government-Linked Hackers Targeted Foreign Diplomats for Nearly a Decade, Report Reveals
A recent report from cybersecurity firm ESET indicates that hackers believed to have ties to the Belarusian government have been systematically targeting foreign diplomats within the country for nearly a decade. The group, dubbed "MoustachedBouncer" by ESET, is thought to have engaged in hacking activities or at least targeted diplomatic officials by intercepting their internet connections at the ISP level, suggesting a close working relationship with the Belarusian government.
ESET's report highlights that since 2014, the MoustachedBouncer group has focused its efforts on at least four foreign embassies located in Belarus, representing European, South Asian, and African nations. ESET researcher Matthieu Faou explained that the group's main goal seems to be the acquisition of confidential documents, although specific details about their motives remain uncertain.
The discovered technique involves tampering with network traffic to manipulate a target's Windows operating system into believing it's connected to a network with a captive portal. Subsequently, the target is directed to a malicious site posing as a Windows Update page, which alerts the victim to the presence of critical security updates that need immediate installation.
Despite MoustachedBouncer's decade-long operation, there's little evidence of their activities between 2014 and 2018. Researchers at ESET stumbled upon their attack in February 2022, following Russia's invasion of Ukraine, during an incident aimed at diplomats in a European embassy directly connected to the ongoing conflict.
While the exact mechanics of how MoustachedBouncer intercepts and alters traffic, known as an "adversary-in-the-middle" (AitM) technique, remain unclear, ESET's experts suggest that the group's success might be due to collaboration with Belarusian ISPs. This collaboration could allow the hackers to exploit a lawful intercept system similar to Russia's SORM system, which is designed for similar purposes.
Notably, Belarus has had a long-standing surveillance system in place, requiring telecom providers to ensure compatibility with the SORM system, as detailed in a 2016 Amnesty International report.
ESET's findings underscore the group's ability to remain under the radar, even while targeting high-profile individuals like diplomats. Despite limited malware samples available for analysis, ESET's researchers noted that MoustachedBouncer's careful operations and prolonged success in compromising significant targets demonstrate their meticulous approach to their activities.