Belarus-linked hacks on Ukraine, Poland began at least a year ago, report says

Researchers have published new information about a malicious campaign targeting government agencies, military organizations and civilian entities in Ukraine and Poland.

From at least April 2022 until this month, hackers attempted to infiltrate victims' devices to steal information and gain permanent remote access, according to a new report released by cybersecurity firm Cisco Talos.

The researchers did not disclose the extent of the impact of the attacks.

Cisco Talos noted that Ukraine's computer emergency response team (CERT-UA) recently attributed the July incidents to the hacker group UNC1151, also known as GhostWriter, which has been linked to the Belarusian government.

CERT-UA’s report did not include information about attacks before July.

GhostWriter has targeted Ukrainian military personnel and Poland's government services before. The group mostly carries out phishing operations that steal email login credentials, compromise websites and distribute malware.

In the campaign tracked by Cisco Talos, hackers used a multistage infection chain to get into their targets’ systems. First, they sent malicious Microsoft Office email attachments, mostly using Microsoft Excel and PowerPoint file formats, the researchers said

These files imitated documents that appear to be sent from Ukraine's Ministry of Defense, Poland's Ministry of National Defense, and the State Treasury Service of Ukraine, among others.

For instance, some of the Excel documents resemble forms used to calculate salary payments for soldiers of a specific military unit. Ukrainian and Polish businesses and general users were targeted by malicious Excel spreadsheets that masqueraded as value-added tax (VAT) return forms.

The PowerPoint files would not show any actual slides when opened, but would still execute the malicious code. Researchers suggest that hackers' use of PowerPoint files indicates that they were experimenting with file formats that are less commonly used in attacks.

The next stage of the attack was the deployment of downloader malware called PicassoLoader, which launches the final payloads, including the AgentTesla remote access trojan (RAT), Cobalt Strike beacons and another trojan known as njRAT. These payloads are used for information theft and remote access to infected systems, the researchers said.