Security researchers uncovered a widespread credential harvesting campaign targeting government agencies across seven countries in the Asia-Pacific (APAC), Europe, and the Middle East and Africa (EMEA) regions. The ongoing credential harvesting campaign has been active since the beginning of 2020, security researchers at threat intelligence firm Cyjax discovered.
Credential harvesting is a process of gathering compromised user credentials like usernames and passwords. Attackers use various phishing techniques to harvest user credentials and misuse them for their advantage.
Researchers found multiple phishing pages, hostnames, and domains targeting national agencies in Kyrgyzstan, Georgia, Turkmenistan, Ukraine, Pakistan, Belarus, and Uzbekistan. Out of 50 hostnames analyzed, most of them impersonated the Ministry of Foreign Affairs, Ministry of Finance, and Ministry of Energy from Uzbekistan, Belarus, and Turkey. Threat actors also impersonated the Main Intelligence Directorate of Ukraine and the Pakistan Navy.
Other departments targeted in the credential harvesting campaign include:
- Information Technology (9.6%)
- Telecom (3.8%)
- Agriculture (1.9%)
- Legal (5.8%)
- Real Estate (3.8%)
- Water (5.8%)
- Education (3.8%)
- Energy (1.9%)
- Finance (9.6%)
- Media (3.8%)
- Transportation (5.8%)
- Military (5.8%)
- Foreign Affairs (21.2%)
Attackers distributed credential harvesting pages posed as mail server login portals for various government departments. Most of the phishing domains in this campaign began with mail. along with the real domain name of the targeted government agency. It is suspected that attackers created fake domain names using Tucows, PublicDomainRegistry, OVH SAS, or VDSINA.
“The threat actors behind this campaign appear to be targeting the email portals of these government departments, potentially as part of an intelligence-gathering campaign. Access to government ministries, particularly a Ministry of Foreign Affairs, is a key part of most nation-state hacking groups’ targeting. This campaign’s main targets, with the most number of phishing pages, appear to be Belarus, Ukraine, and Uzbekistan,” Cyjax said.
Believed to be an APT Campaign
While the threat actors behind the campaign are unknown, Cyjax linked the ongoing phishing campaign to the state-sponsored APT actors.
“The targeting more generally suggests that this could be the work of an advanced persistent threat (APT) working on behalf of a nation-state. While it is, however, possible that this could be a cybercriminal campaign looking to serve as an access broker on underground forums, many of the countries targeted are Russian satellites or Russia itself, countries that many cybercriminals do not target to prevent attention from local law enforcement. Considering the narrow targeting and lack of immediate financial benefit, therefore, we believe this activity is more aligned to a state-sponsored APT campaign,” Cyjax added.