Cyjax analysts have uncovered a large credential harvesting campaign targeting multiple government departments in APAC and EMEA countries. Over 50 hostnames were analysed, many of which were posing as the Ministry of Foreign Affairs, Ministry of Finance, or Ministry of Energy, in various countries such as Uzbekistan, Belarus, and Turkey; as well as the Main Intelligence Directorate of Ukraine and the Pakistan Navy. IOCs for this campaign can be found at the bottom of this blog.
It is currently unknown how the attackers are spreading the credential harvesting pages, as no phishing emails have yet been uncovered. Phishing links are, however, the most likely method of distribution.
Fig. 1 – Credential harvesting pages posing as mail server login portal for government departments
Fig. 2 – Countries targeted in the credential harvesting campaign
Fig. 3 – Ministries of Foreign Affairs were the primary target, making up one-quarter of domains
Fig. 4 – Phishing page posing as an Uzbekistan Government login portal
The campaign is believed to have started in Spring 2020 when the domains were first transferred to their current host. At the time of discovery, 15 phishing pages were still active and targeting the governments of Kyrgyzstan, Belarus, Georgia, Turkmenistan, Ukraine, Uzbekistan, as well as the Pakistan Navy, and several that posed as the Mail.ru email service.
The domains in this campaign typically began with “mail.” and often contained the targeted government department’s real domain in full as a hostname on the attacker’s domain. Only five domains were registered by the attackers in this campaign: either through Tucows or PublicDomainRegistry; using either OVH SAS or VDSINA to host the sites.
The threat actors behind this campaign appear to be targeting the email portals of these government departments, potentially as part of an intelligence-gathering campaign. Access to government ministries, particularly a Ministry of Foreign Affairs, is a key part of most nation-state hacking groups’ targeting. This campaign’s main targets, with the greatest number of phishing pages, appear to be Belarus, Ukraine, and Uzbekistan.
The overall targeting of this campaign suggests that it could be the work of an advanced persistent threat (APT) working on behalf of a nation-state. While it is, however, possible that this could be a cybercriminal campaign looking to serve as an access broker on underground forums, many of the countries targeted are Russian satellites or Russia itself. These are countries that many cybercriminals avoid targeting to prevent attention from local law enforcement. Considering the narrow targeting and lack of immediate financial benefit, therefore, we believe this activity is more aligned to a state-sponsored APT campaign.
Analysis of one of the OVH IP addresses (145.239.23.7) that has been used to host several of the domains, and is currently used as host, uncovered a potential link to an APT campaign launched against Ukraine during the first year of the COVID-19 pandemic. Cyjax analysts discovered that a previously disclosed malicious hostname (cloud-seuirty[.]ggpht[.]ml) was created at a similar time and used the same credential harvesting page template as others in this campaign. The attack against Ukraine is tracked by some in the private cybersecurity industry as Operation TrickyMouse, which has tentative links to UNC1151 and Hades (also known as Sandworm). (1, 2, 3, 4)
Targeted organisations and malicious domains:
| Armenia Ministry of Foreign Affairs | mail.mfa.am.webmails.info |
| Azerbaijan Government | mail.gov.az.connecting.fail |
| Belarus Ministry of Economy | mail.economy.gov.by.connecting.fail |
| Belarus Ministry of Economy | rnail.economy.gcv.by |
| Belarus Ministry of Energy | rnail.minenergo.gcv.by |
| Belarus Ministry of Finance | rnail.minfin.gcv.by |
| Belarus Ministry of Foreign Affairs | mail.mfa.gov.by.connecting.fail |
| Belarus Ministry of Information | mail.mininform.gov.by.connecting.fail |
| Belarus Ministry of Information | rnail.mininform.gcv.by |
| Belarus President Property Management Directorate | mail.pmrb.gov.by.connecting.fail |
| Belarus President Property Management Directorate | pmrb.gcv.by |
| Belarus State Military Industrial Committee | rnail.vpk.gcv.by |
| China Ministry of Foreign Affairs | mail.mfa.gov.cn.connecting.fail |
| Georgia Ministry of Economy | mail.economy.ge.webmails.info |
| Georgia Ministry of Foreign Affairs | email.mfa.gov.ge.connecting.fail |
| Georgia Ministry of Foreign Affairs | email.mfa.gov.ge.webmails.info |
| Georgia Ministry of Internally Displaced Persons | scoring.mra.gov.ge.webmails.info |
| Kyrgyzstan Ministry of Foreign Affairs | mail.mfa.gov.kg.connecting-to-server.info |
| Kyrgyzstan Ministry of Foreign Affairs | mail.mfa.gov.kg.webmails.info |
| Mail.ru | e.mail.ru.inbox.webmails.info |
| Mail.ru | account.mail.ru.webmails.info |
| Mail.ru | cloud.mail.ru.webmails.info |
| Pakistan Navy | mail.paknavy.gov.pk.connecting.fail |
| Russian Academy of Sciences | webmail.ras.ru.connecting.fail |
| Turkey Ataturk Research Center Presidency | mail.atam.gov.tr.connecting-to-server.fail |
| Turkey ESHOT Public Bus Transport General Directorate | mail.eshot.gov.tr.connecting-to-server.fail |
| Turkey General Directorate of Konya Water and Sewerage Administration | mail.koski.gov.tr.connecting-to-server.fail |
| Turkey General Directorate of Mardin Water and Canal Administration | mail.marsu.gov.tr.connecting-to-server.fail |
| Turkey Manuscripts Institution Presidency | mail.yek.gov.tr.connecting-to-server.fail |
| Turkey Ministry of Justice | webmail.adalet.gov.tr.connecting.fail |
| Turkey Northeast Anatolian Development Agency | mail.kudaka.gov.tr.connecting-to-server.fail |
| Turkey TRUSAS Railway Vehicles Industry | mail.turasas.gov.tr.connecting-to-server.fail |
| Turkmen Telecom | wm.online.tm.connecting.fail |
| Turkmen Telecom | wm.online.tm.connecting-to-server.fail |
| Ukraine Electronic Court of Government | e-court.mail.gov.ua.connecting.fail |
| Ukraine Main Intelligence Directorate of the Ministry of Defense | mail.gur.gov.ua.connecting.fail |
| Ukraine Ministry of Foreign Affairs | mail16.mfa.gov.ua.connecting.fail |
| Ukraine Ministry of Health | mail.moz.gov.ua.connecting-to-server.fail |
| Ukraine National Agency of Civil Service Affairs | mail.nads.gov.ua.connecting-to-server.fail |
| Ukraine National School of Judges | mail.nsj.gov.ua.connecting-to-server.fail |
| Uzbekistan Agency for the Development of Public Service (ARGOS) | mail.argos.uz.connecting-to-server.info |
| Uzbekistan Government | adm.gov.uz.connecting.fail |
| Uzbekistan Government | adm.gov.uz.connecting-to-server.fail |
| Uzbekistan Interstate Commission for Water Coordination | icwc-aral.uz.connecting.fail |
| Uzbekistan Ministry of Agriculture | mail.agro.uz.webmails.info |
| Uzbekistan Ministry of Energy | post.minenergy.uz.connecting.fail |
| Uzbekistan Ministry of Foreign Affairs | mail.mfa.uz.connecting-to-server.info |
| Uzbekistan Ministry of Foreign Affairs | post.mfa.uz.connecting.fail |
| Uzbekistan Ministry of Foreign Affairs | mail.mfa.uz.webmails.info |
| Uzbekistan Ministry of Innovation | mail.mininnovation.uz.connecting.fail |
| Uzbekistan Ministry of Investments and Foreign Trade | mail.mift.uz.connecting.fail |
| Uzbekistan Ministry of Investments and Foreign Trade | mail.mift.uz.webmails.info |
| Uzbekistan Ministry of Transportation | mail.mintrans.uz.connecting.fail |