A recent report reveals that the Belarusian state-sponsored hacker group GhostWriter has targeted Ukrainian organizations with PicassoLoader malware. This group, tracked as UAC-0057, utilized PicassoLoader along with a backdoor tool called Cobalt Strike Beacon to compromise Ukrainian government agencies and local offices. The phishing emails sent during this campaign were reportedly related to the U.S. Agency for International Development’s Hoverla project, which focuses on reforming Ukraine’s local governance.
The Ukrainian computer emergency response team (CERT-UA) suspects that the attackers were interested in Ukrainian local government offices and representatives involved with USAID. GhostWriter, known for its cyber espionage activities, has previously targeted Ukrainian entities, including government organizations and military bases. The group’s consistent use of tools like PicassoLoader and AgentTesla underscores their ongoing focus on Ukraine.
While the specific goals of the recent campaign are not detailed, researchers believe GhostWriter is likely interested in Ukraine’s financial data, economic indicators, and local governance reforms. This aligns with their previous activities, which have consistently targeted Ukrainian institutions to gather sensitive information.
GhostWriter, linked to the Belarusian state, has also been known to attack Kyiv’s allies, including Lithuania, Latvia, and Poland. The group’s tactics involve a relatively unchanged set of tools, reinforcing their persistent cyber espionage efforts in the region and reflecting broader geopolitical interests.
