The phishing attack scheme is striking in its simplicity and genius.
The BlackBerry Research Group reported on Feb. 27 that a hacker group known as Blind Eagle or APT-C-36 recently managed to impersonate the state tax agency of Colombia and Ecuador in order to steal information from government, financial and many other institutions in these countries.
Blind Eagle was previously covered by CheckPoint, who said the group had developed a "more advanced set of tools" for spreading phishing emails. The malicious links in these emails eventually led victims to install a remote access trojan (RAT), which gave hackers access to infected computers.
Researchers believe that the Blind Eagle group has been operating since at least 2018 and is physically based in South America, although there is no concrete evidence for this.
In the group's malware campaign studied by BlackBerry, phishing emails came with fake PDF files that looked like they came from the Colombian National Tax Administration. “The letter we analyzed says that the recipient is '45 days in arrears' in paying taxes. The recipient is prompted to click on a link to view their invoice, which is delivered as a password-protected PDF file.
The Blind Eagle campaigns that CheckPoint exposed were more geared towards gaining access to financial institutions. One of the linked PDFs was designed to look like a document from the Migration Department of the Colombian Ministry of Foreign Affairs. And another used the logo of the Ecuadorian Internal Revenue Service.
"Blind Eagle is clearly more interested in cybercrime and monetary gain than espionage," CheckPoint said, while BlackBerry believes otherwise. They think the group's most recent campaign was specifically about "information theft and espionage."
This is hardly the last time we hear about the Blind Eagle grouping. Probably, the true motives of the attackers will be revealed later.