‘MoustachedBouncer’ espionage hackers targeting embassies in Belarus

LAS VEGAS — Foreign embassies in Belarus are being targeted by hackers looking to steal documents, record audio and track victim keystrokes.

Researchers from cybersecurity firm ESET named the group responsible “MoustachedBouncer” due to its ties to the government of Belarus — run by mustachioed strongman Alexander Lukashenko.

The group has operated since 2014 but shifted tactics in 2020, when it began to perform what researchers call “adversary-in-the-middle” (AitM) attacks. AitM is a type of attack where hackers intercept authentication between users and a service to compromise identities or steal data.

On the sidelines of the Black Hat cybersecurity conference this week, ESET researcher Matthieu Faou explained to Recorded Future News that the hackers are likely exploiting local ISPs to steal data.

Faou said ESET has identified four embassies affected by the campaign, including two from Europe and one each from South Asia and Africa.

“To compromise their targets, MoustachedBouncer operators tamper with their victims’ internet access, probably at the ISP level, to make Windows believe it’s behind a captive portal,” Faou explained. “For IP ranges targeted by MoustachedBouncer, network traffic is redirected to a seemingly legitimate, but fake, Windows Update page.”

Faou explained that an investigation into the attacks showed that it is likely the traffic is being intercepted at the ISP level rather than through compromised routers, since Belarus’ government is legally allowed in some cases to conduct this sort of surveillance.

In a report published this week and presented at Black Hat, Faou outlined the range of tools, which he named “NightClub” and “Disco,” used by the hackers to launch the attacks.

While Disco is used during AitM attacks, NightClub is deployed in instances where traffic interception is not possible — like when embassies use VPN services to route traffic outside of Belarus.

NightClub exploits free email services —– most notably the Czech webmail service Seznam.cz and the Russian Mail.ru webmail provider —– to steal data. The tools allow them to take screenshots, record audio and log keystrokes.

During his research into the group, Faou said he discovered ties between MoustachedBouncer and Winter Vivern, a hacking group with suspected ties to Moscow.

Winter Vivern has targeted government agencies and telecom operators in Ukraine, India and Europe, according to a report in March from the cybersecurity company SentinelOne.

Faou also found ties to the Russian hacking group Turla, which last month was implicated in attacks on Ukrainian defense forces with spying malware.

“The AitM scenario reminds us of the Turla and StrongPity threat actors, who have trojanized software installers on the fly at the ISP level,” he said.

The AitM technique was used selectively, likely only against embassies, rather than countrywide.

“The main takeaway is that organizations in foreign countries where the internet cannot be trusted should use an end-to-end encrypted VPN tunnel to a trusted location for all their internet traffic in order to circumvent any network inspection devices,” Faou said.