Before targeting Belarus, Eastern Europe-focused hackers flew under the radar

Despite the explosion of security firms that track state-linked hackers, a significant amount of that activity goes unnoticed.
ESET, RSA 2019
Researchers at Slovakian anti-virus company ESET made the discovery. (Scoop News Group photo)

A mysterious cyber-espionage group, active for nearly a decade but documented in detail by private researchers for the first time Friday, has been hacking into government organizations in Eastern Europe in search of secrets.

The hacking group has targeted military organizations, foreign ministries and private firms in Russia, Ukraine, Belarus and the Balkans with pinpoint espionage. Researchers from the anti-virus firm ESET, which claimed the discovery and christened the group “XDSpy,” said the attackers have been scouring a few dozen computers in search of sensitive PDF and Microsoft Word documents.

One of the few other public indicators that XDSpy was on the prowl came from a February advisory from the Belarusian government’s National Computer Emergency Response Team. That statement listed four Belarusian government email accounts that had been compromised by the attackers, but warned that various government officials had been targeted.

The broader region has long been subject to cyber-espionage activity, as hackers from Russia and elsewhere aim to track policymakers from former Soviet states such as Ukraine and Georgia, according to a large body of cybersecurity research. Belarus, in particular, has been the subject of international headlines after autocrat Alexander Lukashenko used technology to crack down on protesters following a disputed election.


The identity of the group behind the XDSpy attacks remains unclear.

“I believe [XDSpy] attracted attention in 2020 because they increase their attack tempo,” ESET researcher Mathieu Faou told CyberScoop. “Their operation became noisier and several people started to look at their activities.”

ESET researchers say it appears to be state-sponsored, but they declined to speculate on which government might be behind it. They did say that the operatives appeared to be based in the same time zones as many of their targets.

The research is a peak behind the curtain of typical espionage activity. The attackers appeared to have tracked their targets’ locations by monitoring wireless access points, and in some cases attempted to exfiltrate data from compromised computers.

Faou said the group’s rather “basic” malware has been effective over the years. But the XDSpy hackers may have also turned to a murky software exploit market where spies and private code-slingers increasingly rub shoulders.


In June, the spies exploited a vulnerability in Internet Explorer. There was little public data on the exploit at the time, ESET said, suggesting that XDSpy either developed it on their own or bought it from an unnamed broker. The code from the exploit bears similarities to one used by DarkHotel, a different espionage group suspected of operating out of South Korea.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts