According to ESET Research’s cybersecurity researchers, the Belarusian government had been spying upon foreign diplomats in the country for years through the MoustachedBouncer hacking group.
The research has confirmed that at least one embassy from South Asia, one from Africa, and two from Europe have been the targets of a state-sponsored espionage campaign, active since 2014.
The hackers utilized a wide range of attack techniques, including C++ modular backdoors, adversary-in-the-middle attacks, and email-based C&C protocols and performed attacks at the ISP level from within the country for spying.
“To compromise their targets, MoustachedBouncer operators tamper with their victims’ internet access, probably at the ISP level, to make Windows believe it’s behind a captive portal,” ESET’s report read.
For your information, adversary-in-the-middle attacks rely on ‘lawful interception’ espionage infrastructure e.g. SORM. In Russia and many other countries, it is deployed by security services on ISP premises.
Campaign Active Since 2014
The espionage activity started in 2014, which is surprising considering that this is the first time it has been disclosed. Since 2014, the group has used numerous malware families to achieve network intervention.
Initially, MoustachedBouncer used email protocols (SMTP and MAP) based malware frameworks and later switched to droppers that could steal files, take screenshots, and record conversations.
Hackers Backed by the State
Researchers suspect that MoustachedBouncer had full backing from the Belarusian government and probably ties with other hacking groups. This view is strengthened by the fact that MoustachedBouncer has a close affiliation with another highly active hacking group, Winter Vivern.
The Winter Vivern group was discovered in 2021 and is known for targeting European diplomats. Their attack techniques resonate with two different threat actors called StrongPity and Turla. Both trojanized software installers at the ISP level.
Attack Tactic Analysis
Per ESET’s report, authored by malware researcher Matthieu Faou, the hackers fiddled with their target’s traffic to display genuine-looking but fake Windows Update URLs. This page promised them critical system security updates they needed to install urgently.
Per ESET telemetry this page delivered a fake update file containing the malicious executable, and two local ISP networks contributed to this campaign, including Beltelecom and Unitary Enterprise A1.
“We strongly recommend that foreign organizations in Belarus use an end-to-end encrypted VPN tunnel, ideally out-of-band (i.e., not from the endpoint), providing internet connectivity from a trusted network,” Faou wrote.
There is evidence that since June 2017, diplomats from four countries were targeted by MoustachedBouncer, two from Europe, one from Northeast Africa and one from South Asia. One of the two European diplomats was targeted twice between Nov 2020 and July 2022.
About MoustachedBouncer
This previously undocumented cyberespionage group only targets foreign embassies in Belarus and has most likely been performing ISP-level adversary-in-the-middle attacks since 2020. This hacking group prefers using NightClub and Disco toolsets and used them in this campaign as well.
Researchers have documented MoustachedBouncer as an independent group, but believe it works in collaboration with Winter Vivern. It was discovered in 2021. Proofpoint reported that the group used the Zimbra mail portal’s XSS vulnerability to steal the webmail credentials of diplomats from European countries.