APT credential theft campaign targeting EMEA and APAC governments

Community Feature - @BushidoToken

A Curated Intelligence staff member - BushidoToken - recently uncovered a large credential harvesting campaign targeting multiple government departments in APAC and EMEA countries. Over 50 hostnames were analysed, many of which were posing as the Ministry of Foreign Affairs, Ministry of Finance, or Ministry of Energy, in various countries such as Uzbekistan, Belarus, and Turkey; as well as the Main Intelligence Directorate of Ukraine and the Pakistan Navy.


The threat actors behind this campaign appear to be targeting the email portals of these government departments, potentially as part of an intelligence-gathering campaign. Access to government ministries, particularly a Ministry of Foreign Affairs, is a key part of most nation-state hacking groups’ targeting. Considering the narrow targeting and lack of immediate financial benefit, this activity is more aligned to a state-sponsored APT campaign, rather than a cybercriminal one.

IOCs are available on @BushidoToken's OTX Alienvault here.

Curated Intel Community Features are sourced using our Member Content channel on Discord. If you have recently produced a noteworthy piece of writing, a project, a podcast, an infographic or other CTI content let us know!