Belarusian state-sponsored hackers, identified as Ghostwriter, have initiated a fresh cyberespionage campaign aimed at Ukraine’s Ministry of Defence and a military base. This operation, detected in April by cybersecurity firm Cyble, involves phishing emails containing drone image attachments and malicious Excel spreadsheets. Upon opening the attachment, victims are prompted to enable content, which triggers an embedded VBA Macro facilitating the delivery of malicious payloads, data theft, and unauthorized system access.
Ghostwriter, also known as UNC1151 and Storm-0257, has a history of targeting Ukraine, Lithuania, Latvia, and Poland since at least 2017. Their modus operandi typically involves phishing operations aimed at stealing email credentials, compromising websites, and distributing malware. Despite their persistent focus on Ukraine, the group continually evolves its techniques to evade detection, with the latest campaign emphasizing information theft and remote system access.
In a separate development, Ukraine’s Computer Emergency Response Team (CERT-UA) issued a warning regarding cyberattacks leveraging DarkCrystal malware against military personnel and defense services. Perpetrators, identified as UAC-0200, utilized the Signal messaging app to deliver malicious files, posing as trusted individuals to enhance credibility. CERT-UA noted a growing trend of cyber incidents targeting Ukraine over the past two years, with hackers exploiting vulnerabilities and leveraging current events to maximize impact.
The escalating cyber threats against Ukraine’s military and critical infrastructure underscore the urgency for enhanced cybersecurity measures and vigilance. As hackers continue to adapt and refine their tactics, collaborative efforts between cybersecurity agencies and organizations are essential to thwarting future attacks and safeguarding national security interests.
