Foreign diplomats targeted by Belarus MustacheBouncer hackers


Belarus government-linked hackers spied on foreign diplomats in the country for almost a decade with support from local internet service providers (ISPs), research by ESET reveals.

The MoustachedBouncer cyberespionage group targeted foreign embassies in Belarus since at least 2014, researchers have disclosed for the first time.

The threat group uses the adversary-in-the-middle technique to perform attacks at the ISP level within Belarus to compromise its targets. It’s assessed with medium confidence that the hackers are aligned with the interests of the Belarus state.

ADVERTISEMENT

Embassies of four different countries have been targeted: two from Europe, one from South Asia, and one from Africa, researchers identified.

Some elements hint that MoustachedBouncer is closely collaborating with another active threat group targeting European diplomats known as Winter Vivern, discovered in 2021.

“To compromise their targets, MoustachedBouncer operators tamper with their victims’ internet access, probably at the ISP level, to make Windows believe it’s behind a captive portal,” ESET Research explains.

A captive portal is a web page used in public WIFI networks to require users to log in or accept terms before accessing the internet.

The hackers tampered with victims' traffic, displaying a seemingly legitimate but fake Windows Update URL. The page indicated that critical system security updates must be installed. Researchers could not retrieve the fake update file, but the telemetry showed it contained a malicious executable.

Two separate ISP networks contributed to these attacks: Unitary Enterprise A1 and Beltelecom.

“This suggests that those ISPs may not provide full data confidentiality and integrity. We strongly recommend that foreign organizations in Belarus use an end-to-end encrypted VPN tunnel, ideally out-of-band (i.e., not from the endpoint), providing internet connectivity from a trusted network,” ESET writes.

Adversary-in-the-middle attacks usually utilize the so-called “lawful interception” surveillance infrastructure, which on ISPs’ premises is deployed by security services in countries like Russia.

ADVERTISEMENT

The scenario is similar to the Turla and StrongPity threat actors who have trojanized software installers on the fly at the ISP level. Attackers could not perform such attacks without “significant access inside the internet service providers, or their upstream providers.”

In Russia, a law from 2014 requires ISPs to install devices called SORM-3 that enable the Federal Security Service (FSB) to conduct targeted surveillance.

Malware families used for traffic interception by MoustacheBouncer have evolved since 2014: from malware frameworks using email protocols (SMTP and MAP) to a simple dropper capable of making screenshots, recording audio, and stealing files.