An ongoing phishing campaign since Spring 2020 has already targeted governments of seven countries across APAC, Europe, and EMEA. The goal of the campaign is focused on harvesting credentials, most probably to gather intelligence.
What has happened?
According to security researchers, the campaign has used multiple phishing domains that were transferred to their present host last year. These domains were hosting malicious pages aimed at harvesting credentials.
The pages pose as numerous ministries of targeted country’s governments, such as departments of finance, energy, and foreign affairs.
Accessing the Ministry of Foreign Affairs is the main target of many nation-state hackers. Based on the phishing pages, the campaign is mainly focusing on targets in Belarus, Ukraine, and Uzbekistan.
Some pages were discovered to mimic the Pakistan Navy, the Mail.ru email service, and the Main Intelligence Directorate of Ukraine. Security firm Cyjaxis tracked the attacks against Ukraine as Operation TrickyMouse.
Till now, no phishing emails have been observed, although it is the most likely method used for the distribution.
Technical insights
To date, at least 15 pages are actively targeting the governments of Belarus, Georgia, Kyrgyzstan, Pakistan, Turkmenistan, Ukraine, and Uzbekistan.
The attackers have registered five domains for the campaign using popular domain services Tucows, PublicDomainRegistry, OVH SAS, or VDSINA. The identified domains started with the prefix ‘mail’ and have the name of the targeted government department’s domain and hostname.
One of the OVH IP addresses (145[.]239 [.]23 [.]7) has been used to host several domains. It is currently used as a host, and this uncovered a possible link to an APT campaign launched against Ukraine.
Conclusion
This attack campaign is focused on a limited set of victims and there is no direct financial benefit. This suggests that attackers behind this campaign are state-sponsored or APT groups looking for stealing sensitive information.