Belarusian hackers target Ukraine’s Ministry of Defence in new espionage campaign

Belarusian state-sponsored hackers targeted Ukraine’s Ministry of Defence and a military base in a new cyberespionage operation, researchers say. 

They attributed the attacks to the threat actor Ghostwriter, a Belarus-linked group known for its attacks on Ukraine, Lithuania, Latvia, and Poland. In the latest campaign, observed in April by researchers at the cybersecurity firm Cyble, the hackers sent their targets phishing emails with an attachment that contained drone image files and a malicious Microsoft Excel spreadsheet.

Researchers said they identified alleged victims based on the content of lure documents.

When victims open the .xls file, a button labeled “Enable Content” pops up on their screen, Cyble explained in the report released on Tuesday. Once clicked, it executes an embedded VBA Macro within the document, allowing the hackers to deliver malicious payloads, steal data and gain unauthorized access to systems.

During analysis, Cyble couldn’t retrieve the final payload but said that it possibly includes AgentTesla, Cobalt Strike beacons, and njRAT, as seen in previous Ghostwriter campaigns.

Ghostwriter, also tracked as UNC1151 and Storm-0257, has been active since at least 2017. It has previously targeted Ukrainian military personnel and Polish government services. The group mostly carries out phishing operations that steal email login credentials, compromise websites, and distribute malware.

Researchers at Cyble said that Ghostwriter is persistently targeting Ukraine and keeps updating its techniques to evade detection. In the latest campaigns, the group’s primary motivation likely was to steal information and gain remote access to infected systems.

Also on Tuesday, Ukraine’s Computer Emergency Response Team (CERT-UA) warned about cyberattacks against Ukrainian military personnel and defense services using DarkCrystal malware, which could allow attackers to gain remote access to the victim’s device.

The threat actor tracked as UAC-0200 used the Signal messaging app to deliver malicious files to its victims. The hackers posed as people the targeted users might know to make their messages seem more trustworthy.

According to CERT-UA, the cybercriminals sent their victims an archive and a password to access it, urging them to open it on their computers only.

The number of incidents against Ukraine has been growing steadily over the past two years, and hackers are getting better at targeting, CERT-UA said in a report released in May.

They exploit the latest vulnerabilities and align their attacks with trending events and news to “increase the attention and potential complacency of targets. The Ukrainian military, as well as the country’s critical infrastructure, are among the hackers’ most frequent targets, according to the report.