EMEA and APAC governments targeted in widespread credential harvesting campaign

Cyjax analysts have uncovered a large credential harvesting campaign targeting multiple government departments in APAC and EMEA countries. Over 50 hostnames were analyzed, many of which were posing as the Ministry of Foreign Affairs, Ministry of Finance, or Ministry of Energy in various countries such as Uzbekistan, Belarus, and Turkey, as well as the Main Intelligence Directorate of Ukraine and the Pakistan Navy. Indicators of Compromise (IOCs) for this campaign can be found at the bottom of this blog.

It is currently unknown how the attackers are spreading the credential harvesting pages, as no phishing emails have yet been uncovered. Phishing links are, however, the most likely method of distribution.

Fig. 1 – Credential harvesting pages posing as mail server login portals for government departments.

Fig. 2 – Countries targeted in the credential harvesting campaign.

Fig. 3 – Ministries of Foreign Affairs were the primary target, making up one-quarter of domains.

Fig. 4 – Phishing page posing as an Uzbekistan Government login portal.

The campaign is believed to have started in Spring 2020 when the domains were first transferred to their current host. At the time of discovery, 15 phishing pages were still active and targeting the governments of Kyrgyzstan, Belarus, Georgia, Turkmenistan, Ukraine, Uzbekistan, as well as the Pakistan Navy, and several that posed as the Mail.ru email service.

The domains in this campaign typically began with "mail." and often contained the targeted government department's real domain in full as a hostname on the attacker's domain. Only five domains were registered by the attackers in this campaign: either through Tucows or PublicDomainRegistry, using either OVH SAS or VDSINA to host the sites.

The threat actors behind this campaign appear to be targeting the email portals of these government departments, potentially as part of an intelligence-gathering campaign. Access to government ministries, particularly a Ministry of Foreign Affairs, is a key part of most nation-state hacking groups' targeting. This campaign's main targets, with the greatest number of phishing pages, appear to be Belarus, Ukraine, and Uzbekistan.

The overall targeting of this campaign suggests that it could be the work of an advanced persistent threat (APT) working on behalf of a nation-state. While it is, however, possible that this could be a cybercriminal campaign looking to serve as an access broker on underground forums, many of the countries targeted are Russian satellites or Russia itself. These are countries that many cybercriminals avoid targeting to prevent attention from local law enforcement. Considering the narrow targeting and lack of immediate financial benefit, therefore, we believe this activity is more aligned with a state-sponsored APT campaign.

Analysis of one of the OVH IP addresses (145.239.23.7) that has been used to host several of the domains, and is currently used as a host, uncovered a potential link to an APT campaign launched against Ukraine during the first year of the COVID-19 pandemic. Cyjax analysts discovered that a previously disclosed malicious hostname (cloud-seuirty[.]ggpht[.]ml) was created at a similar time and used the same credential harvesting page template as others in this campaign. The attack against Ukraine is tracked by some in the private cybersecurity industry as Operation TrickyMouse, which has tentative links to UNC1151 and Hades (also known as Sandworm).

Targeted Organisations and Malicious Domains:

• Armenia Ministry of Foreign Affairs: mail.mfa.am.webmails.info
• Azerbaijan Government: mail.gov.az.connecting.fail
• Belarus Ministry of Economy: mail.economy.gov.by.connecting.fail
• Belarus Ministry of Energy: rnail.minenergo.gcv.by
• Belarus Ministry of Finance: rnail.minfin.gcv.by
• Belarus Ministry of Foreign Affairs: mail.mfa.gov.by.connecting.fail
• Belarus Ministry of Information: mail.mininform.gov.by.connecting.fail
• Belarus President Property Management Directorate: mail.pmrb.gov.by.connecting.fail
• Belarus State Military Industrial Committee: rnail.vpk.gcv.by
• China Ministry of Foreign Affairs: mail.mfa.gov.cn.connecting.fail
• Georgia Ministry of Economy: mail.economy.ge.webmails.info
• Georgia Ministry of Foreign Affairs: email.mfa.gov.ge.connecting.fail
• Kyrgyzstan Ministry of Foreign Affairs: mail.mfa.gov.kg.connecting-to-server.info
• Pakistan Navy: mail.paknavy.gov.pk.connecting.fail
• Russian Academy of Sciences: webmail.ras.ru.connecting.fail
• Turkey Ministry of Justice: webmail.adalet.gov.tr.connecting.fail
• Ukraine Electronic Court of Government: e-court.mail.gov.ua.connecting.fail
• Uzbekistan Ministry of Foreign Affairs: mail.mfa.uz.connecting-to-server.info