Dave Bittner (4:16)

Into some of the technical details here. As you point out, this campaign seems to focus on Ukrainian government officials and the Belarusian opposition. Why do we suppose that these groups are being targeted?

Tom Hagel (4:31)

Yeah, a lot of this really comes back to looking at the history of this threat actor in general. You know, our understanding is that this threat actor and kudos to some amazing research done by others in the industry like Mandiant and others. They, they've found a lot of interesting things that published on it. We were able to kind of corroborate it in many places. But ultimately what we see is Ghostwriter is an organization likely in operation within Belarus government with close collaborations potentially with the Russian government and so forth. So when you take that into account, we see a lot of the typical anti NATO targeting. Anything with Ukraine right now is obviously a very hot topic. But ultimately whatever borders Belarus is, is tends to be the area of focus for them. Now the activity of going against Russian or sorry, Ukrainian organizations, gov, military, like we saw in our research here, that's ultimately like not too unexpected for this group. That's kind of the MO for them going after something that would be such a high priority to them. Getting intelligence on the Ukrainian operations and so forth is very key. But then you see almost like this secondary cluster of activity within Ghostwriter that is doing the domestic stuff. So we see the domestic stuff is ultimately trying to push out propaganda, trying to blend with like information ops combined with like these targeted malware operations against individuals and organizations that might be seen as negative to domestic disputes within Belarus in particular. So we're ultimately seeing like a, a state of Ghost Rider that is targeting anything that is anti Belarus in its current form, if that makes sense.

Dave Bittner (6:26)

Yeah. And now does that differ from previous Ghost Rider operations? I mean particularly that that focus on the domestic.

Tom Hagel (6:36)

It doesn't they have had some activities of going to domestic targeting in the past, but it hasn't been so obvious, you know, previously. There's been a lot of efforts by Ghost Raider and others in the previous presidential election out there to ultimately silence media, journalists and so forth. In this recent activity, it was more so going after like human rights activists, political, direct political opposition and so forth. And that was a little bit more direct in terms of kind of what they're aiming to do. But the ultimate like target sets really aren't outside the bounds of what's normal. What this does show is the first identification of the domestic targeting in quite some time that we've seen from outside as outsiders in Western nations right now. So that is a bit more noteworthy than this targeting itself because they kind of are all over the place and we've seen them pop up in South America, you know, the western countries, a little bit here and there. But domestic stuff Information Ops is kind of like the go to strategic targeting with malware infections like this domestically. It speaks to kind of the, the political affairs kind of going on there domestically right now.

Dave Bittner (7:53)

Yeah, well, let's dig into some of the technical details here. I mean, how do they go about doing the things that they do?

Tom Hagel (8:00)

Yeah, absolutely. So historically the group has leaned into like traditional credential phishing where they give you a link and you go and type your password and they steal your, your account and then go and pilfer everything out of the account. Email, social media and so forth. Typical like spyware, espionage, kind of depending on who the targeting is. More recently in what we reported on here is strategic malware attacks. And the way that they're doing this is rather than trying to steal legitimate credentials and do kind of like a smash and grab of stealing whatever they can get their hands on, they're trying to get maintained access in this case to strategic target devices. So what we reported on ultimately centers around a delivery of a malicious document. In our case, we see Google Drive being the main way of them hosting the malicious documents. So they ultimately email a link to the malicious document saying basically creating the standard phishing lure. In this case, what we have are lures specific to domestic, for like the domestic targets, lures that are very specific to that individual and what that person studies. If it's like the presidential election or political opposition research, things like that, or if it's on the Ukraine side, it's, you know, anti corruption initiatives in Ukraine or military equipment deliveries, things like that. And then that that lure is very specific to their targets. And then they go and download this, this file. In this case, what we mostly see are Excel spreadsheets. And that Excel spreadsheet ultimately contains pretty heavily obfuscated and hidden VBA macro code. And that macro code is kind of like the gateway into the target device. There's a lot of different variations. We reported on a couple of differences in all of them based on who the target is and the timing of specifically when it went down. Which ultimately speaks to kind of seeing the actor shift over time. But what we're seeing are these VBA macros lean into essentially writing a DLL file to the temp directory of the target device in the background. As they're reading this file, this DLL is ultimately loaded. We go through what we call a couple different stages. So the stage one would be the Excel spreadsheet. Stage two would be this DLL file. And this DLL file gains persistence on the machine. It's installed in a persistent way. So anytime the machine starts, this DLL file will attempt to start as well. And what this DLL file is comes down to being essentially a downloader. We call it Picasso Loader. It's kind of the industry standard name or Picasso Downloader. And it essentially is allows a third tool, third layer tooling to be loaded at the attacker's discretion. But it's all gained persistently at that point. So that's how they kind of get it.

Dave Bittner (10:57)

We'll be right back.

Podcast Host / Announcer (11:01)

Ford Bluecruise Hands free Highway driving takes the work out of being behind the wheel, allowing you to relax and reconnect while also staying in control. Enjoy the drive in blue Cruise enabled vehicles like the F150 Explorer and Mustang Mach E. Available feature on Equipped with Vehicles Terms apply does not replace safe driving. See Ford.com BlueCruise for more details. Running a business comes with a lot of what ifs, but luckily there's a simple answer to them. Shopify. It's the commerce platform behind millions of businesses, including Thrive Cosmetics and Momofuku. And it'll help you with everything you need. From website design and marketing to boosting sales and expanding operations. Shopify can get the job done and make your dream a reality. Turn those what ifs into sign up for your $1 per month trial at shopify.com specialoffer.

Dave Bittner (12:03)

What would you rate the level of sophistication here in terms of being stealthy?

Tom Hagel (12:09)

You know, the stealth isn't so great, the sophistication isn't high. But what you're seeing is like the persistence and just like the Workability of this whole thing, it's just smooth, it kind of works. And unfortunately in many of these cases the targets that they're going after aren't the often the most secure. So they might be unpatched to a vulnerability or they might not be running some sort of protection that would stop something like this so that that level of sophistication is not quite there. But what we do see, I would say like what is sophisticated about it is more of like the fine tuned crafts to exactly what they're doing. So for example, the way that the VBA ultimately turns into running malware is it goes through a process of essentially rewriting itself in memory and turns itself from the DLL into essentially the malware that runs the net code of the actual malware. And it goes through a couple stages of like obfuscation, using freely available tools out there to conceal itself from antivirus or EDR tools, or even like an analysis of just looking at the file itself. So those little details at like the final stage is what makes it so seamlessly or what makes it so successful to install in many of these cases we've seen. So like overall I wouldn't say like the actor is being incredibly sophisticated. What they are being is persistent and creative. But when it matters like little things just to kind of get past the little hiccups of like endpoint protection or somebody not seeing this file, or somebody having a clue that this file might be malicious, that's where they put a little bit of effort in into it as well. And that really can also be kind of highlighted by the fact that after all this happens, the lure document, a fake lure document is opened to show them what they think they should be seeing anyway. So all this is happening in the background. They're actually given a document of what they believe to be what they were sending and opening. So they might not question this whole process they just experienced.

Dave Bittner (14:13)

Yeah, that's really interesting. I mean it seems like, I don't know, perhaps their capabilities exceed what they're showing in this campaign. Is that a fair way to say it?

Tom Hagel (14:23)

Yeah, that's a good way to put it. Another way to even think about it would be the multi approach that they've always taken over the years. This is just a targeted phishing lure that's delivered malware and it may lead to other malware down the road or strategic data x fill, depending on the victim or whatever. But the fact that this group also has done pretty well in like domestic information ops and propaganda spreading into mainstream media in the Region and even things like the credential phishing I talked about, the combination of skill sets there are pretty diverse, and it speaks to me of like an organization that gets a lot of backing and resources from the more capable organizations, perhaps in Russia or elsewhere, but they're getting the financial backing and they're getting the support to be able to experiment, to kind of do what needs to get done. So pretty interesting group to follow.

Dave Bittner (15:22)

What ultimately does it seem like they're after here? I mean, does it. Is that as customized as the way they come at people?

Tom Hagel (15:31)

Yeah, it definitely is a unique target objective, for sure. So in the Ukraine, government, military organizations, a lot of that may be to just get access and figure out what we can steal for espionage or military intelligence benefits to support Russia in the war. Perhaps it would be to maintain access, to give access to a more sophisticated actor that could do some sort of disruptive efforts or anything like that. That's pretty standard for like a wartime or wartime intrusion effort. But then you go to like the domestic side, and those cases might just be to see examining what political opposition is about to report on or the things they're reporting, the sources of their news, sources of leaks, or maybe even just to like, stop that person from reporting, find out where they are, find out who they are, in some cases, shut them down, disrupt them. So it's a lot of it is like this group can almost be looked at as like the team that kind of gets in, smashes the door to figure out what we should do next in many cases. Obviously the information upside is a little different, but again, speaks to the complexity of this actor for sure.

Dave Bittner (16:43)

Do you have any sense for what their impact has been so far, how successful they may have or may not have been?

Tom Hagel (16:51)

It's really hard to gauge. The domestic stuff in Belarus is. It's almost impossible to gauge from an outsider's perspective. In my case being that this may have been targeted or tied deeply into the presidential election that appears to have gone down uninterrupted from any opposition perspective. So I'm not sure if it really did anything in the end. The Ukraine side, it appears ultimately unsuccessful. It's just another one of the targeted intrusions that ultimately are supporting the war that we're seeing constantly now, and we have been seeing constantly for years. So I don't think any of that is leading to like, a strong indicator of major success from this actor over time. However, the information ops side of this, I think, is their most noteworthy level of success because the narratives that they are crafting and spreading have done quite well, making it to mainstream media locally within the region and western nations over time as well. And then obviously those narratives are used by the supporting governments as well to further their initiatives. So that's very difficult to measure for sure. But it's one of those type of groups that there's not like a massive hit and win of success. And again, a lot of what they're doing might just be getting initial access and then passing it to a group that does something that's really noticeable and that group gets the reputation for doing it. While the initial access was actually somebody more on the ghost raider level.

Dave Bittner (18:24)

Yeah, well, let's say I'm an organization or even a government in one of these high risk regions. What are your recommendations for me to best protect myself against this group?

Tom Hagel (18:36)

Yeah, you know, a lot of the initial access methods center around email delivery. So if I was defending against this actor, I would be looking to email as a very strict method of the actor interacting with potential targets. So, you know, advanced filtering capabilities, getting rid of any emails that link to Google Drive, especially if it contains a password that something can't scan, and then looking at things that are being downloaded, obviously from the agent perspective, I think tracking and monitoring that from a network level, when possible, is great. But if you're doing something like downloading from Google Drive, it's more difficult to inspect that traffic. But when the files are on the machine, there just needs to be strict controls in terms of what can and can't run on machines. For example, a way that some organizations that are targeted by this group succeed in many cases are by if there's a file that's downloaded, if that file was downloaded, never seen in the network before, comes from an email address they've never seen before in their system, and it wants to run anything more than just look at text or anything like that, it's completely blocked. So everybody gets, instead of an Excel spreadsheet, they get an ugly code of text. It keeps them tremendously safe and it's worked to stop a lot of evil, but it's a rough user experience. So somewhere in the middle there's a balance, I'm sure. Right.

Dave Bittner (20:00)

Well, you mentioned Excel spreadsheets and macros. I mean, does something as simple as disabling macros get us anywhere?

Tom Hagel (20:09)

It definitely does. But this is the type of group that will adapt no matter what macros. Getting rid of macros definitely helps. But then it'll be, you know, in the, in the doc, it'll say, hey, here's a link to something else to go and download. Then it'll just download the malware straight from that link itself to avoid email detection. So there's always hoops to hop through. But any of the, the multi layered approach is the way to go. Try and stop them through any means, but also be able to detect and respond to this because again, these groups are not the most sophisticated. But knowing that they had an intrusion in your network and what they got and how you can get them to go away is is key. So retaining the data, retaining the ability to do the forensics when they do get in is important.

Dave Bittner (20:54)

Yeah, it really speaks to that level of persistence that you measured that they're going to keep at it.

Tom Hagel (21:01)

Yeah, exactly. And a lot of these targets in these cases are the political opposition side and human rights activists. These are individuals. They don't often have access to the high end endpoint detection or network filtering or email filtering capabilities. So they're very reliant on Google spam filter or their standard antivirus and things like that. So I think a lot of those folks just need to be really, really careful. If you're using Apple devices, Apple lockdown mode I highly recommend and whatever the Android equivalent equivalent of that is that I'm not sure of those, those work tremendously. So individuals have to take a little bit different approach, but it still can be done.

Dave Bittner (21:40)

For our listeners, what do you hope that they take away from checking out this research?

Tom Hagel (21:45)

Yeah, I think a lot of it comes down to the willingness of diving into research that might not or threat actors that might not be super interesting. They can always lead to interesting stories. In this case we just see malicious documents and they've been reported on a million times in our industry by threat actors using them. But if you follow the chains in today's world, it can often lead to interesting stories. And even the most sophisticated actors out there are still using what works. And in many cases that is just a simple malicious document. So don't take the simplicity of the initial access method for granted. It's always still worth trying to research and dive into these actors and take them all seriously until you really know the true intention.

Dave Bittner (22:37)

Our thanks to Tom Hagel from Sentinel Labs for joining us. The research is titled Ghost New Campaign targets Ukrainian Government and Belarusian Opposition. We'll have a link in the show notes and that's Research Saturday, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send us an email to cyberwire2k.com this episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next time.

Tom Hagel (23:44)

Hey, Ryan Reynolds here for Mint Mobile. You know, one of the perks about having four kids that you know about is actually getting a direct line to the big man up north. And this year he wants you to know the best gift that you can give someone is the gift of Mint Mobile's unlimited wireless for $15 a month. Now you you don't even need to wrap it. Give it a try@mintmobile.com Switch upfront payment.

Podcast Host / Announcer (24:06)

Of $45 for three month plan equivalent to $15 per month required new customer offer for first three months only. Speed slow after 35 GB if network's busy. Taxes and fees extra. See mintmobile.com.