A newly identified cyberespionage group in Belarus is targeting foreign embassies often with the assistance of local internet service providers, researchers with the cybersecurity firm ESET said Thursday.
The group that has been operating since 2014 and ESET dubbed MustachedBouncer has compromised embassy staff from at least two European countries, one from South Asia and one from Africa, as early as 2017, according to research set to be presented this week at the Black Hat security conference in Las Vegas.
Then, beginning in January 2020, the group began targeting “a few selected organizations,” via local ISPs in an adversary-in-the-middle attack, according to the research, relying on a “lawful interception” systems, possibly including the Russian SORM network interception technology, and custom malware the researchers named “Disco.”
The group also operates separate malware framework known as “NightClub” but it’s not clear how it is deployed against targets. Both malware sets include capabilities supporting screenshots, audio recording and file stealers, the researchers said.
The group is likely closely cooperating with a separate suspected Belarusian, pro-Russian cyberespionage effort known as Winter Vivern, the researchers said, which has targeted government and private entities in Europe and beyond using different methods. The commonalities are seen in network infrastructure, suggesting “a common entity that is providing network infrastructure” for both groups, said Matthieu Faou, a malware researcher with ESET. Both operations are completely distinct from UNC1151, also tracked as Ghostwriter, which researchers and governments have said is a potent pro-Russian information operation emanating from Belarus.
“The kind of operation MustachedBouncer is running is more oriented toward counter espionage and things like that,” Faou told CyberScoop ahead of his presentation. “They’re really interested in people in their country.”
The highly selective targeting by the group against a very small number of targets could help explain how the group has continually operated for nearly 10 years, Faou said. Additionally, he added, NightClub has undergone significant development over the years, pushing it from its original form as a basic file stealer into “a fully featured backdoor.”
The deployment of Disco via the ISP level, ESET said, is reminiscent of aspects of campaigns carried out by Turla, a well-known cyberespionage effort linked to the Russian security services, and StrongPity, a campaign more than a decade old with possible ties to the Turkish government. There are examples, however, of sophisticated hacking operations emanating from one country targeting ISPs in another country in order to enable such attacks.
“Usually, this initial access method is used by threat actors operating in their own country because it requires significant access inside the internet service providers, or their upstream providers,” the researchers wrote in their analysis. “In many countries, security services are allowed to perform so-called ‘lawful interception’ using special devices installed on the ISPs’ premises.”
A Russian law dating to 2014 required ISPs there to install the SORM technology to enable the Federal Security Service (FSB) to conduct targeted surveillance, the ESET analysis notes. A similar law exists in Belarus, according to a 2021 report from Amnesty International.
“While the compromise of routers in order to conduct [adversary-in-the-middle attacks] on embassy networks cannot be fully discarded, the presence of lawful interception capabilities in Belarus suggests the traffic mangling is happening at the ISP level rather than on the targets’ routers,” the researchers wrote.