Belarusian Hackers Target Ukraine’s Ministry of Defence in New Espionage Campaign

Belarusian state-sponsored hackers have launched a new cyberespionage campaign targeting Ukraine’s Ministry of Defence and a military base. Researchers from the cybersecurity firm Cyble have attributed the attacks to Ghostwriter, a Belarus-linked group known for targeting Ukraine, Lithuania, Latvia, and Poland.

The Attack Strategy

In April, Ghostwriter hackers sent phishing emails to their targets, containing drone image files and a malicious Microsoft Excel spreadsheet. When victims opened the .xls file, they were prompted to click an “Enable Content” button, which executed an embedded VBA Macro. This action allowed the hackers to deliver malicious payloads, steal data, and gain unauthorised access to the systems.

While the final payload could not be retrieved during analysis, Cyble suspects it may include AgentTesla, Cobalt Strike beacons, and njRAT, as seen in previous Ghostwriter campaigns.

Ghostwriter’s Persistent Threat

Active since at least 2017, Ghostwriter, also known as UNC1151 and Storm-0257, has a history of targeting Ukrainian military personnel and Polish government services. The group primarily uses phishing operations to steal email login credentials, compromise websites, and distribute malware.

In this latest campaign, Ghostwriter’s main objective was likely to steal information and gain remote access to infected systems. The group continues to update its techniques to evade detection, making it a persistent threat to Ukraine.

CERT-UA’s Additional Warnings

On Tuesday, Ukraine’s Computer Emergency Response Team (CERT-UA) issued warnings about cyberattacks against Ukrainian military personnel and defence services using DarkCrystal malware. This malware allows attackers to gain remote access to victims’ devices. The threat actor, tracked as UAC-0200, used the Signal messaging app to deliver malicious files, posing as trusted contacts to increase the likelihood of successful attacks.

CERT-UA reports that cyberattacks against Ukraine have been steadily increasing over the past two years. Hackers are exploiting the latest vulnerabilities and aligning their attacks with current events to maximise their impact.

Staying Vigilant

The rise in cyberattacks underscores the importance of robust cybersecurity measures. Organisations must stay informed about the latest threats and continuously update their defences.


FAQs

What is Ghostwriter? Ghostwriter is a Belarus-linked state-sponsored hacking group known for targeting Ukraine, Lithuania, Latvia, and Poland through phishing and malware attacks.

How did Ghostwriter execute the latest attacks? The group sent phishing emails with malicious Excel files. When victims enabled the content, it executed a VBA Macro that allowed the hackers to deliver malicious payloads and gain unauthorised access.

What were the targets of these attacks? The primary targets were Ukraine’s Ministry of Defence and a military base.

What is the role of CERT-UA? CERT-UA monitors cyber threats and issues warnings. Recently, they alerted about cyberattacks using DarkCrystal malware targeting Ukrainian defence personnel.

How can organisations protect themselves? Organisations should implement comprehensive security strategies, continuously monitor for threats, and keep their systems updated.