Summary: A Belarusian state-sponsored hacker group, GhostWriter, has targeted Ukrainian organizations and government agencies using PicassoLoader malware, with a focus on local governance reform projects. The group is known for its cyber espionage activities and has previously attacked various Ukrainian entities and their allies.
Threat Actor: GhostWriter | GhostWriter
Victim: Ukrainian organizations | Ukrainian organizations
Key Point :
- GhostWriter used PicassoLoader and Cobalt Strike Beacon to infect Ukrainian victims.
- The campaign targeted local government offices and representatives of the U.S. Agency for International Development (USAID).
- Phishing emails related to USAID’s Hoverla project were part of the attack strategy.
- GhostWriter has a history of targeting Ukrainian entities and is linked to the Belarusian state.
- The group may also have ties to Russian influence in its operations.
A suspected Belarusian state-sponsored hacker group targeted Ukrainian organizations and local government agencies with PicassoLoader malware, according to a new report.
In a campaign earlier this month, a hacker group known as GhostWriter — tracked as UAC-0057 — used their typical toolset of PicassoLoader and a backdoor called Cobalt Strike Beacon to infect Ukrainian victims.
Researchers at Ukraine’s computer emergency response team (CERT-UA) suspect the likely targets of these attacks were local government offices, as well as representatives of the U.S. Agency for International Development, which is responsible for administering civilian foreign aid and development assistance.
The content of some of the phishing emails sent by the hackers was related to USAID’s Hoverla project, which aims to reform the local governance system in Ukraine, CERT-UA said.
The report doesn’t specify the goal of the campaign, but GhostWriter is mostly known for being involved in cyber espionage. Researchers said the group could be interested in Ukraine’s financial and economic indicators, taxation, as well as the reform of local self-government bodies.
GhostWriter has repeatedly gone after Ukrainian entities. Last July, it deployed PicassoLoader against Ukraine’s government organizations, and in August 2023 it used the same tool to target Ukraine’s National Defense University. This June, the hackers attacked Ukraine’s Ministry of Defence and a military base.
In a 2021 report, Google-owned Mandiant said that GhostWriter is linked to the Belarusian state, and its campaigns align with Belarusian government interests. Researchers also believe Russia could have some influence over the group’s activity.
In addition to Ukraine, GhostWriter has also attacked Kyiv’s allies, including Lithuania, Latvia, and Poland. It is known for deploying a relatively unchanged set of tools in its campaigns — like the PicassoLoader, AgentTesla, Cobalt Strike Beacon, and njRAT.
Recorded Future
Intelligence Cloud.
Source: https://therecord.media/belarus-ukraine-picasso-malware-ghostwriter