Government

Before targeting Belarus, Eastern Europe-focused hackers flew under the radar

Despite the explosion of security firms that track state-linked hackers, a significant amount of that activity goes unnoticed.

By Sean Lyngaas

October 2, 2020

Researchers at Slovakian anti-virus company ESET made the discovery. (Scoop News Group photo)

A mysterious cyber-espionage group, active for nearly a decade but documented in detail by private researchers for the first time Friday, has been hacking into government organizations in Eastern Europe in search of secrets.

The hacking group has targeted military organizations, foreign ministries and private firms in Russia, Ukraine, Belarus and the Balkans with pinpoint espionage. Researchers from the anti-virus firm ESET, which claimed the discovery and christened the group “XDSpy,” said the attackers have been scouring a few dozen computers in search of sensitive PDF and Microsoft Word documents.

One of the few other public indicators that XDSpy was on the prowl came from a February advisory from the Belarusian government’s National Computer Emergency Response Team. That statement listed four Belarusian government email accounts that had been compromised by the attackers, but warned that various government officials had been targeted.

The broader region has long been subject to cyber-espionage activity, as hackers from Russia and elsewhere aim to track policymakers from former Soviet states such as Ukraine and Georgia, according to a large body of cybersecurity research. Belarus, in particular, has been the subject of international headlines after autocrat Alexander Lukashenko used technology to crack down on protesters following a disputed election.

The identity of the group behind the XDSpy attacks remains unclear.

“I believe [XDSpy] attracted attention in 2020 because they increase their attack tempo,” ESET researcher Mathieu Faou told CyberScoop. “Their operation became noisier and several people started to look at their activities.”

ESET researchers say it appears to be state-sponsored, but they declined to speculate on which government might be behind it. They did say that the operatives appeared to be based in the same time zones as many of their targets.

The research is a peak behind the curtain of typical espionage activity. The attackers appeared to have tracked their targets’ locations by monitoring wireless access points, and in some cases attempted to exfiltrate data from compromised computers.

Faou said the group’s rather “basic” malware has been effective over the years. But the XDSpy hackers may have also turned to a murky software exploit market where spies and private code-slingers increasingly rub shoulders.

In June, the spies exploited a vulnerability in Internet Explorer. There was little public data on the exploit at the time, ESET said, suggesting that XDSpy either developed it on their own or bought it from an unnamed broker. The code from the exploit bears similarities to one used by DarkHotel, a different espionage group suspected of operating out of South Korea.