According to security researchers, hackers with evident ties to the Belarusian government have been targeting foreign diplomats in the country for nearly a decade.
Thursday, the antivirus company ESET released a report detailing the activities of a newly discovered government hacking group, which the company has labeled MoustachedBouncer. According to ESET, the group likely hacked or at least targeted diplomats by intercepting their internet service provider (ISP) connections, indicating close collaboration with the Belarusian government.
Since 2014, at least four foreign embassies in Belarus have been targeted by MoustachedBouncer: two from Europe, one from South Asia, and one from Africa.
Matthieu Faou, an ESET researcher, told TechCrunch in an interview prior to his presentation at the Black Hat cybersecurity conference in Las Vegas, “The operators were trained to find confidential documents, but we’re unsure exactly what they were looking for.” They operate exclusively within Belarus against foreign diplomats. Therefore, we have never witnessed a MustachedBouncer attack outside of Belarus.”
MoustachedBouncer was first detected by ESET in February 2022, days after Russia invaded Ukraine, in a cyberattack against specific diplomats in the embassy of a European nation “somehow involved in the war,” Faou declined to identify the nation.
By manipulating network traffic, the hacking group can convince the target’s Windows operating system that it is connected to a network with a captive portal.
According to the report, the target is then redirected to a malicious website masquerading as Windows Update, which warns the target that “critical system security updates must be installed.”
It is unclear how MoustachedBouncer intercepts and modifies traffic — a technique known as an adversary-in-the-middle, or AitM — but ESET researchers believe Belarusian ISPs are collaborating with the attacks, allowing the hackers to use a lawful intercept system similar to the one Russia uses, known as SORM.
This surveillance system’s existence has been known for years. According to a 2016 Amnesty International report, all Belarusian telecom companies are required to “make their hardware compatible with the SORM system.”
Once ESET researchers discovered the attack in February 2018 and analyzed the malware used, they were able to identify additional attacks, the earliest of which dates back to 2014, although, according to Faou, there is no trace of them between 2014 and 2018.
They remained undetected for an extended period of time. If they were able to compromise high-profile targets such as diplomats while no one spoke about them and there were very few malware samples available for analysis, this indicates that they are quite successful,” he said. It demonstrates that they are cautious when performing operations.