Security researchers uncovered a large phishing campaign targeting multiple government departments in APAC and EMEA countries.
Researchers from cybersecurity firm Cyjax uncovered a large phishing campaign targeting multiple government departments in APAC and EMEA countries.
The phishing campaign has been ongoing since spring 2020 when the domains were first transferred to their current host. At the time of discovery, experts noticed that 15 phishing pages were still active and targeting the governments of Kyrgyzstan, Belarus, Georgia, Turkmenistan, Ukraine, Uzbekistan, and Pakistan.
“The domains in this campaign typically began with “mail.” and often contained the targeted government department’s real domain in full as a hostname on the attacker’s domain. Only five domains were registered by the attackers in this campaign: either through Tucows or PublicDomainRegistry; using either OVH SAS or VDSINA to host the sites.” reads the analysis published by the experts.
The domain names typically started with “mail.” and contained the name of the targeted government department’s domain and a hostname.
The phishing pages were crafted to appear legitimate sites of various ministries within the targeted country’s governments, including departments of energy, finance, and foreign affairs. Other pages analyzed by the researchers posed as the Pakistan Navy, the Main Intelligence Directorate of Ukraine, and the Mail.ru email service.
Ministries of Foreign Affairs were the primary target, making up one-quarter of domains.
Experts speculate that the main target of this campaign were Belarus, Ukraine, and Uzbekistan, due to the greater number of phishing pages targeted these countries.
The nature of the target and the attackers’ TTPs suggest that the phishing campaign was orchestrated by a nation-state threat actor.
The experts observed that many of the countries targeted are Russian satellites or Russia itself, but these countries are usually not targeted by cybercrime groups to prevent the response of local police.
The analysis of one of the OVH IP addresses (126.96.36.199) used by the threat actors revealed a potential link to the Operation TrickyMouse launched against Ukraine by Sandworm during the COVID-19 pandemic.
“The targeting more generally suggests that this could be the work of an advanced persistent threat (APT) working on behalf of a nation-state. While it is, however, possible that this could be a cybercriminal campaign looking to serve as an access broker on underground forums, many of the countries targeted are Russian satellites or Russia itself, countries that many cybercriminals do not target to prevent attention from local law enforcement.” concludes the analysis. “Considering the narrow targeting and lack of immediate financial benefit, therefore, we believe this activity is more aligned to a state-sponsored APT campaign.”
(SecurityAffairs – hacking, phishing)