EMEA and APAC governments targeted in widespread credential harvesting campaign

Cyjax analysts have uncovered a large credential harvesting campaign targeting multiple government departments in APAC and EMEA countries. Over 50 hostnames were analysed, many of which were posing as the Ministry of Foreign Affairs, Ministry of Finance, or Ministry of Energy, in various countries such as Uzbekistan, Belarus, and Turkey; as well as the Main Intelligence Directorate of Ukraine and the Pakistan Navy. IOCs for this campaign can be found at the bottom of this blog.

It is currently unknown how the attackers are spreading the credential harvesting pages, as no phishing emails have yet been uncovered. Phishing links are, however, the most likely method of distribution.

Fig. 1 – Credential harvesting pages posing as mail server login portal for government departments

Fig. 2 – Countries targeted in the credential harvesting campaign

Fig. 3 – Ministries of Foreign Affairs were the primary target, making up one-quarter of domains

Fig. 4 – Phishing page posing as an Uzbekistan Government login portal

The campaign likely began in Spring 2020: this was when the domains were first transferred to their current host. At the time of discovery, 15 phishing pages were still active and targeting the governments of Kyrgyzstan, Belarus, Georgia, Turkmenistan, Ukraine, Uzbekistan, the Pakistan Navy, and several that posed as the Mail.ru email service.

The domains in this campaign typically began with “mail.” and often contained the targeted government department’s real domain in full as a hostname on the attacker’s domain. Only five domains were registered by the attackers in this campaign: either through Tucows or PublicDomainRegistry; using either OVH SAS or VDSINA to host the sites.

The threat actors behind this campaign appear to be targeting the email portals of these government departments, potentially as part of an intelligence-gathering campaign. Access to government ministries, particularly a Ministry of Foreign Affairs, is a key part of most nation-state hacking groups’ targeting. This campaign’s main targets, with the most number of phishing pages, appear to be Belarus, Ukraine, and Uzbekistan.

The targeting more generally suggests that this could be the work of an advanced persistent threat (APT) working on behalf of a nation-state. While it is, however, possible that this could be a cybercriminal campaign looking to serve as an access broker on underground forums, many of the countries targeted are Russian satellites or Russia itself, countries that many cybercriminals do not target to prevent attention from local law enforcement. Considering the narrow targeting and lack of immediate financial benefit, therefore, we believe this activity is more aligned to a state-sponsored APT campaign.

Analysis of one of the OVH IP addresses (145.239.23.7) that has been used to host several of the domains, and is currently used as host, uncovered a potential link to an APT campaign launched against Ukraine during the COVID-19 pandemic. Cyjax analysts discovered that a previously disclosed malicious hostname (cloud-seuirty[.]ggpht[.]ml) was created at a similar time and also used the same credential harvesting page template as others we have seen in this campaign. The attack against Ukraine is tracked by some in the private cybersecurity industry as Operation TrickyMouse, which has tentative links to UNC1151 and Hades (also known as Sandworm). (1, 2, 3, 4)


Targeted organisations and malicious domains:

Armenia Ministry of Foreign Affairs mail.mfa.am.webmails.info
Azerbaijan Government mail.gov.az.connecting.fail
Belarus Ministry of Economy mail.economy.gov.by.connecting.fail
Belarus Ministry of Economy rnail.economy.gcv.by
Belarus Ministry of Energy rnail.minenergo.gcv.by
Belarus Ministry of Finance rnail.minfin.gcv.by
Belarus Ministry of Foreign Affairs mail.mfa.gov.by.connecting.fail
Belarus Ministry of Information mail.mininform.gov.by.connecting.fail
Belarus Ministry of Information rnail.mininform.gcv.by
Belarus President Property Management Directorate mail.pmrb.gov.by.connecting.fail
Belarus President Property Management Directorate pmrb.gcv.by
Belarus State Military Industrial Committee rnail.vpk.gcv.by
China Ministry of Foreign Affairs mail.mfa.gov.cn.connecting.fail
Georgia Ministry of Economy mail.economy.ge.webmails.info
Georgia Ministry of Foreign Affairs email.mfa.gov.ge.connecting.fail
Georgia Ministry of Foreign Affairs email.mfa.gov.ge.webmails.info
Georgia Ministry of Internally Displaced Persons scoring.mra.gov.ge.webmails.info
Kyrgyzstan Ministry of Foreign Affairs mail.mfa.gov.kg.connecting-to-server.info
Kyrgyzstan Ministry of Foreign Affairs mail.mfa.gov.kg.webmails.info
Mail.ru e.mail.ru.inbox.webmails.info
Mail.ru account.mail.ru.webmails.info
Mail.ru cloud.mail.ru.webmails.info
Pakistan Navy mail.paknavy.gov.pk.connecting.fail
Russian Academy of Sciences webmail.ras.ru.connecting.fail
Turkey Ataturk Research Center Presidency mail.atam.gov.tr.connecting-to-server.fail
Turkey ESHOT Public Bus Transport General Directorate mail.eshot.gov.tr.connecting-to-server.fail
Turkey General Directorate of Konya Water and Sewerage Administration mail.koski.gov.tr.connecting-to-server.fail
Turkey General Directorate of Mardin Water and Canal Administration mail.marsu.gov.tr.connecting-to-server.fail
Turkey Manuscripts Institution Presidency mail.yek.gov.tr.connecting-to-server.fail
Turkey Ministry of Justice webmail.adalet.gov.tr.connecting.fail
Turkey Northeast Anatolian Development Agency mail.kudaka.gov.tr.connecting-to-server.fail
Turkey TRUSAS Railway Vehicles Industry mail.turasas.gov.tr.connecting-to-server.fail
Turkmen Telecom wm.online.tm.connecting.fail
Turkmen Telecom wm.online.tm.connecting-to-server.fail
Ukraine Electronic Court of Government e-court.mail.gov.ua.connecting.fail
Ukraine Main Intelligence Directorate of the Ministry of Defense mail.gur.gov.ua.connecting.fail
Ukraine Ministry of Foreign Affairs mail16.mfa.gov.ua.connecting.fail
Ukraine Ministry of Health mail.moz.gov.ua.connecting-to-server.fail
Ukraine National Agency of Civil Service Affairs mail.nads.gov.ua.connecting-to-server.fail
Ukraine National School of Judges mail.nsj.gov.ua.connecting-to-server.fail
Uzbekistan Agency for the Development of Public Service (ARGOS) mail.argos.uz.connecting-to-server.info
Uzbekistan Government adm.gov.uz.connecting.fail
Uzbekistan Government adm.gov.uz.connecting-to-server.fail
Uzbekistan Interstate Commission for Water Coordination icwc-aral.uz.connecting.fail
Uzbekistan Ministry of Agriculture mail.agro.uz.webmails.info
Uzbekistan Ministry of Energy post.minenergy.uz.connecting.fail
Uzbekistan Ministry of Foreign Affairs mail.mfa.uz.connecting-to-server.info
Uzbekistan Ministry of Foreign Affairs post.mfa.uz.connecting.fail
Uzbekistan Ministry of Foreign Affairs mail.mfa.uz.webmails.info
Uzbekistan Ministry of Innovation mail.mininnovation.uz.connecting.fail
Uzbekistan Ministry of Investments and Foreign Trade mail.mift.uz.connecting.fail
Uzbekistan Ministry of Investments and Foreign Trade mail.mift.uz.webmails.info
Uzbekistan Ministry of Transportation mail.mintrans.uz.connecting.fail