More trouble from an APT with Colombia and Ecuador on its mind

A malicious hacking group continues to use "simple" phishing techniques to steal information from government agencies and financial institutions in Colombia and Ecuador, cybersecurity researchers say.

BlackBerry's Research & Intelligence Team reported Monday that the group, known as Blind Eagle or APT-C-36, recently "impersonated a Colombian government tax agency to target key industries in Colombia, including health, financial, law enforcement, immigration, and an agency in charge of peace negotiation in the country."

The discovery follows a separate report in January by cybersecurity company Check Point Research that said Blind Eagle had developed "a more advanced toolset" as it sent out phishing emails designed to spur recipients to click on malicious web links.

Those links ultimately lead victims to unwittingly install remote access trojan (RAT) malware, which gives the hackers access to infected computers.

Blind Eagle — classified as an advanced persistent threat (APT) group — has been operating since at least 2018, researchers say. Several cybersecurity companies have said the hackers operate from within South America, though there is no consensus on a specific country.

Taxes as a lure

In the example studied by BlackBerry, the phishing emails came with sham PDFs claiming to be from Columbia’s Directorate of National Taxes and Customs, or DIAN.

"The letter we analyzed states that the recipient is “45 days in arrears” with a tax payment, and tells the target to click a link to view their invoice, which comes in the form of a password-protected PDF," BlackBerry said.

The campaigns that Check Point exposed were more oriented toward gaining access to financial institutions. One of the associated PDFs was designed to look like a document from the migration department of the Colombian Ministry of Foreign Affairs. Another used the logo for Ecuador's internal revenue service, or SRI.

The reports show the challenges of identifying a group's motives, especially as success emboldens the hackers.

Blind Eagle is "clearly more interested in cybercrime and monetary gain than in espionage," Check Point said, while BlackBerry said the most recent campaign was for "information theft and espionage."

In any case, Blind Eagle has no shortage of victims, apparently.

"The modus operandi used has mostly stayed the same as the group’s previous efforts — it is very simple, which may mean that this group is comfortable with its way of launching campaigns via phishing emails, and feels confident in using them because they continue to work," BlackBerry said.