Summary: Belarusian state-sponsored hackers known as Ghostwriter targeted Ukraine’s Ministry of Defence and a military base in a cyberespionage operation by sending phishing emails with malicious attachments.
Threat Actor: Ghostwriter | Ghostwriter
Victim: Ukraine’s Ministry of Defence | Ukraine’s Ministry of Defence
Key Points:
- Belarusian state-sponsored hackers, Ghostwriter, targeted Ukraine’s Ministry of Defence and a military base in a cyberespionage operation.
- The hackers sent phishing emails with drone image files and a malicious Microsoft Excel spreadsheet as attachments.
- When victims opened the .xls file and clicked on the “Enable Content” button, it executed a VBA Macro that allowed the hackers to deliver malicious payloads, steal data, and gain unauthorized access to systems.
- The attacks were attributed to Ghostwriter based on their previous attacks on Ukraine, Lithuania, Latvia, and Poland.
Belarusian state-sponsored hackers targeted Ukraine’s Ministry of Defence and a military base in a new cyberespionage operation, researchers say.
They attributed the attacks to the threat actor Ghostwriter, a Belarus-linked group known for its attacks on Ukraine, Lithuania, Latvia, and Poland. In the latest campaign, observed in April by researchers at the cybersecurity firm Cyble, the hackers sent their targets phishing emails with an attachment that contained drone image files and a malicious Microsoft Excel spreadsheet.
Researchers said they identified alleged victims based on the content of lure documents.
When victims open the .xls file, a button labeled “Enable Content” pops up on their screen, Cyble explained in the report released on Tuesday. Once clicked, it executes an embedded VBA Macro within the document, allowing the hackers to deliver malicious payloads, steal data and gain unauthorized access to systems.
During analysis, Cyble couldn’t retrieve the final payload but said that it possibly includes AgentTesla, Cobalt Strike beacons, and njRAT, as seen in previous Ghostwriter campaigns.
Ghostwriter, also tracked as UNC1151 and Storm-0257, has been active since at least 2017. It has previously targeted Ukrainian military personnel and Polish government services. The group mostly carries out phishing operations that steal email login credentials, compromise websites, and distribute malware.
Researchers at Cyble said that Ghostwriter is persistently targeting Ukraine and keeps updating its techniques to evade detection. In the latest campaigns, the group’s primary motivation likely was to steal information and gain remote access to infected systems.
Also on Tuesday, Ukraine’s Computer Emergency Response Team (CERT-UA) warned about cyberattacks against Ukrainian military personnel and defense services using DarkCrystal malware, which could allow attackers to gain remote access to the victim’s device.
The threat actor tracked as UAC-0200 used the Signal messaging app to deliver malicious files to its victims. The hackers posed as people the targeted users might know to make their messages seem more trustworthy.
According to CERT-UA, the cybercriminals sent their victims an archive and a password to access it, urging them to open it on their computers only.
The number of incidents against Ukraine has been growing steadily over the past two years, and hackers are getting better at targeting, CERT-UA said in a report released in May.
They exploit the latest vulnerabilities and align their attacks with trending events and news to “increase the attention and potential complacency of targets. The Ukrainian military, as well as the country’s critical infrastructure, are among the hackers’ most frequent targets, according to the report.
Recorded Future
Intelligence Cloud.
Source: https://therecord.media/belarus-hackers-ukraine-ministry-defense
“An interesting youtube video that may be related to the article above”
Views: 0
简体中文
Nederlands
Français
Bahasa Indonesia
日本語
Português