CyberWire Daily – Research Saturday
Episode: Excel-lerating cyberattacks.
Original Air Date: December 27, 2025
Guest: Tom Hagel, Principal Threat Researcher, Sentinel Labs
Host: Dave Bittner
Episode Overview
This episode centers on the recent activities of the longstanding threat group Ghostwriter, focusing on their evolving cyberattack tactics targeting both the Ukrainian government and Belarusian political opposition. The discussion dives into their technical tradecraft, motivations behind their latest campaign, and practical advice for defending against such persistent actors. The conversation is both a deep dive into current threat intelligence and a reflection on the realities of defending high-risk targets in rapidly evolving geopolitical landscapes.
Key Discussion Points & Insights
1. Background on Ghostwriter
- Longstanding Threat: Ghostwriter has been active for close to a decade, gaining prominence around 2016 ([02:18]).
- Regional Focus: Initially, activity clustered in Eastern Europe, especially Belarus and Ukraine. The outbreak of war in Ukraine has drawn increased focus to Ghostwriter's campaigns ([02:18], [02:59]).
- Operational Scope: Traditionally targeting NATO, Ukrainian, and Western organizations, Ghostwriter has recently become more involved in domestic Belarusian targeting, especially in the run-up to national elections ([04:31]).
2. Target Selection and Shifts in Focus
- Standard Patterns: Attacks on Ukrainian governmental and military entities are consistent with Ghostwriter’s playbook, aimed at supporting Russian intelligence and wartime objectives ([04:31], [15:31]).
- Domestic Targeting: The group now shows more direct focus on Belarusian human rights activists, political opposition, and domestic dissent, seeking both intelligence and suppression of opposition voices ([06:36]).
- “We see the domestic stuff is ultimately trying to push out propaganda, trying to blend with like information ops combined with…targeted malware operations against individuals and organizations that might be seen as negative to domestic disputes within Belarus...” — Tom Hagel [04:31]
3. Attack Techniques and Technical Tradecraft
- Delivery Mechanisms:
- Past: Traditional credential phishing via email and social media ([08:00]).
- Current:
- Heavily obfuscated Excel documents delivered via Google Drive links ([08:00]).
- Documents contain personalized lures (election news, corruption reports, etc.), increasing the chance of successful compromise ([08:00]).
- Malicious documents employ VBA macros that deploy a two-stage payload:
- Stage 1: Malicious Excel spreadsheet.
- Stage 2: VBA macro writes and loads a DLL ("Picasso Loader") for persistent access ([08:00]).
- The DLL grants persistence and allows for subsequent payloads or data exfiltration at the attacker's discretion ([08:00]).
- Evasion:
- The macros obfuscate code and use commodity tools to avoid detection by antivirus and EDR solutions ([12:09]).
- After infection, the attacker shows the victim a decoy document matching the lure topic, reducing suspicion ([12:09]).
- “What they are being is persistent and creative… after all this happens, the lure document, a fake lure document is opened to show them what they think they should be seeing anyway.” — Tom Hagel [12:09]
4. Sophistication and Creative Adaptation
- Persistence Over Flashiness:
- While not technically groundbreaking, Ghostwriter’s operations are well-oiled and reliable at penetrating less-protected environments ([12:09]).
- Their adaptability allows them to shift between phishing, malware, and information operations fluidly ([14:23]).
- Resource Backing:
- The breadth and endurance of their campaigns point to significant institutional support, likely from Belarusian and/or Russian intelligence services ([14:23]).
- “It speaks to me of like an organization that gets a lot of backing and resources from the more capable organizations, perhaps in Russia or elsewhere…” — Tom Hagel [14:23]
5. Objectives and Strategic Aims
- Ukraine: Access for military intelligence, espionage, and potential lateral movement to facilitate further disruptive activity ([15:31]).
- Belarus domestic: Surveillance, harassment, and suppression of opposition figures and civil society—including human rights advocates and journalists ([15:31]).
- Efforts include both malware operations and coordinated propaganda/information ops campaigns in traditional and online media ([04:31], [16:51]).
6. Assessment of Impact
- Successes:
- Technical compromises appear mainly of limited strategic effect; no evidence of major campaign wins ([16:51]).
- Strongest impact seen in the realm of information operations, with successfully spread disinformation in mainstream channels both regionally and internationally ([16:51]).
- “The information ops side of this, I think, is their most noteworthy level of success because the narratives that they are crafting and spreading have done quite well, making it to mainstream media...” — Tom Hagel [16:51]
7. Defensive Recommendations
- For High-Risk Regions & Organizations:
- Harden email defenses; strictly filter emails containing Google Drive links, especially those with password protection ([18:36]).
- Block or quarantine unfamiliar attachments/files—prioritize allowlisting over trusting unknown files ([18:36]).
- Control what files can execute; restrict macros and executables from recent downloads ([18:36]).
- “If there’s a file that’s downloaded, never seen in the network before… and it wants to run anything more than just look at text, it’s completely blocked.” — Tom Hagel [18:36]
- For Individuals & Activists:
- Disable macros in Office files ([20:09]).
- Use hardened device modes (Apple Lockdown, Android equivalents) for greater baseline protection ([21:01]).
- Be vigilant with unsolicited documents and links, especially those tailored to your activism or research.
8. Broader Takeaways and Cautions
- Simplicity Still Works:
- Even well-resourced threat actors rely on “tried and true” tactics like malicious documents.
- Vigilance and layered defenses are crucial; don’t underestimate simple approaches ([21:45]).
- “Even the most sophisticated actors out there are still using what works. And in many cases that is just a simple malicious document.” — Tom Hagel [21:45]
Notable Quotes & Memorable Moments
-
On targeting domestic opposition:
“We see the domestic stuff is ultimately trying to push out propaganda, trying to blend with like information ops combined with… targeted malware operations against individuals and organizations that might be seen as negative to domestic disputes within Belarus...”
— Tom Hagel [04:31] -
On tradecraft sophistication:
“The stealth isn't so great, the sophistication isn't high. But what you're seeing is like the persistence and just like the workability of this whole thing, it's just smooth, it kind of works.”
— Tom Hagel [12:09] -
On defensive posture:
“If there’s a file that’s downloaded, never seen in the network before, comes from an email address they've never seen before in their system, and it wants to run anything more than just look at text or anything like that, it's completely blocked. So everybody gets, instead of an Excel spreadsheet, they get an ugly code of text. It keeps them tremendously safe…”
— Tom Hagel [18:36] -
On adaptability of attackers:
“This is the type of group that will adapt no matter what… there’s always hoops to hop through. But any… multi-layered approach is the way to go.”
— Tom Hagel [20:09] -
Closing reflection:
“Even the most sophisticated actors out there are still using what works. And in many cases that is just a simple malicious document. So don't take the simplicity of the initial access method for granted.”
— Tom Hagel [21:45]
Key Timestamps
- 02:18 — Background on Ghostwriter and interest triggered by the war in Ukraine
- 04:31 — Shift toward domestic Belarusian targets and motivation
- 08:00 — Technical attack description: phishing, lures, VBA macros, DLL (Picasso Loader)
- 12:09 — Sophistication and evasion techniques
- 14:23 — Discussion of organizational backing and multifaceted operations
- 15:31 — Strategic objectives of targeting Ukraine and domestic Belarus
- 16:51 — Impact and measuring effectiveness
- 18:36 — Defensive recommendations for organizations
- 20:09 — Effectiveness of disabling macros, necessity of layered defenses
- 21:45 — Final takeaways and importance of tracking “simple” attacks
Conclusion
This episode provides a thorough look at Ghostwriter’s current activities—showcasing the blend of traditional and creative attack methods and the persistent, state-sponsored nature of their campaigns. The continued reliance on everyday document-based attacks, personalized lures, and information operations underscores the need for relentless vigilance and layered security. The conversation is both a technical tutorial and a stark reminder that, even when the offensive tactics seem simple, the strategic aims and real-world consequences are significant.