News article: https://techcrunch.com/2023/08/10/belarus-hackers-target-foreign-diplomats/

News Summary

  • A hacking group with apparent links to the Belarusian government has been targeting foreign diplomats in the country for nearly 10 years.
  • The group, which ESET has dubbed MoustachedBouncer, has likely been hacking or at least targeting diplomats by intercepting their connections at the internet service provider (ISP) level, suggesting close collaboration with Belarus’ government.
  • Since 2014, MoustachedBouncer has targeted at least four foreign embassies in Belarus: two European nations, one from South Asia, and another from Africa.
  • ESET first detected MoustachedBouncer in February 2022, days after Russia invaded Ukraine, with a cyberattack against specific diplomats in the embassy of a European country “somehow involved in the war.”
  • The hacking group is able to trick the target’s Windows operating system into believing it’s connected to a network with a captive portal. The target is then redirected to a fake and malicious site masquerading as Windows Update, which warns the target that there are “critical system security updates that must be installed.”
  • It’s not clear how MoustachedBouncer can intercept and modify traffic, but ESET researchers believe it’s because Belarusian ISPs are collaborating with the attacks, allowing the hackers to use a lawful intercept system similar to the one Russia deploys, known as SORM.
  • Once ESET researchers found the attack last February and analyzed the malware used, they were able to discover other attacks - the oldest dating back to 2014 - although there is no trace of them between 2014 and 2018.
  • MoustachedBouncer’s activity spans from 2014 to 2022 and the TTPs of the group have evolved over time.