A newly discovered government hacking group, dubbed Moustached Bouncer by antivirus firm ESET, has been targeting foreign diplomats in Belarus for nearly 10 years. The group’s activities suggest close collaboration with the Belarusian government.
Background on Moustached Bouncer
ESET first detected Moustached Bouncer in February 2022, days after Russia invaded Ukraine, with a cyberattack against specific diplomats in the embassy of a European country "somehow involved in the war." The group has likely been hacking or at least targeting diplomats by intercepting their connections at the internet service provider (ISP) level.
Methodology and Techniques
According to ESET, Moustached Bouncer uses an adversary-in-the-middle (AitM) technique to tamper with network traffic. This allows them to trick the target’s Windows operating system into believing it is connected to a network with a captive portal. The target is then redirected to a fake and malicious site masquerading as Windows Update, which warns the target that there are "critical system security updates that must be installed."
Intercepting Traffic: Collaboration between ISPs and Belarusian Government
It’s unclear how Moustached Bouncer can intercept and modify traffic. However, ESET researchers believe it’s because Belarusian ISPs are collaborating with the attacks, allowing the hackers to use a lawful intercept system similar to the one Russia deploys, known as SORM.
SORM: A Surveillance System in Place for Years
The existence of this surveillance system has been known for years. In Belarus, all telecom providers "must make their hardware compatible with the SORM system," according to a 2016 Amnesty International report. This allows the government to monitor and intercept communications easily.
Success and Careful Operations
ESET researchers believe Moustached Bouncer has successfully compromised high-profile targets such as diplomats over the years, while remaining under the radar. "They stayed under the radar for a long time," said ESET researcher Matthieu Faou. "And so it means that they’re quite successful if they were able to compromise high profile targets such as diplomats, while no one really spoke about them, and there have been very few malware samples available for analysis."
Timeline of Moustached Bouncer’s Activities
ESET researchers found evidence of attacks dating back to 2014. However, there is a gap in the timeline between 2014 and 2018, suggesting that the group may have gone dormant during this period.
Impact on Foreign Diplomats
The targeting of foreign diplomats raises concerns about the safety and security of diplomatic missions in Belarus. The use of hacking tools to intercept communications highlights the need for increased vigilance and protection measures.
Conclusion
Moustached Bouncer’s activities suggest a sophisticated and coordinated effort by the Belarusian government to target foreign diplomats. The use of AitM techniques and collaboration with ISPs highlights the complexity of modern cyber threats. As the cybersecurity landscape continues to evolve, it is essential for governments, organizations, and individuals to remain vigilant and proactive in protecting against such threats.
Additional Information
If you have any information about this hacking group or other advanced persistent threats (APTs), please contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Wire @lorenzofb, or email lorenzo@techcrunch.com. You can also use TechCrunch’s SecureDrop.
Related Topics
- Belarus
- Black Hat
- Cybersecurity
- Hacking
- Government-Linked Hackers
Frequently Asked Questions
-
What is Moustached Bouncer?
Moustached Bouncer is a newly discovered government hacking group that has been targeting foreign diplomats in Belarus for nearly 10 years.
-
How does Moustached Bouncer operate?
ESET believes the group uses an adversary-in-the-middle (AitM) technique to tamper with network traffic, allowing them to intercept and modify communications.
-
What is SORM?
SORM is a lawful intercept system used by the Belarusian government to monitor and intercept communications.