CyberWire Daily: "Excel-lerating Cyberattacks. [Research Saturday]"

Release Date: March 22, 2025
Host/Author: N2K Networks
Description: The daily cybersecurity news and analysis industry leaders depend on. Published each weekday, the program also includes interviews with a wide spectrum of experts from industry, academia, and research organizations all over the world.

Introduction

In this episode of CyberWire Daily, hosted by Dave Bitner, the focus shifts to a deep dive into the activities of a persistent cyber threat actor known as Ghostwriter. The episode, titled "Excel-lerating Cyberattacks. [Research Saturday]", features an insightful discussion with Tom Hagel, Principal Threat Researcher from Sentinel Lab's research team. The conversation uncovers the evolving tactics of Ghostwriter, particularly their recent campaigns targeting Ukrainian government officials and the Belarusian opposition.

Overview of Ghostwriter Threat Actor

Dave Bitner begins by providing background on Ghostwriter, highlighting their decade-long presence in the cybersecurity landscape. "Ghostwriter is an actor that we've been pretty closely tracking for some time," Bitner states at [02:22]. The prominence of Ghostwriter surged around 2016, but their activities in the Ukraine war zone drew significant attention recently.

Tom Hagel elaborates on the research titled "Ghost New Campaign targets Ukrainian Government and Belarusian Opposition," emphasizing the group's expansion into regions traditionally under defensive cybersecurity postures. "A lot of interesting things are going on at this point, which took our attention to focus on them," Hagel explains at [02:46].

Targeting Strategies

The discussion delves into Ghostwriter's strategic targeting of Ukrainian government officials and Belarusian opposition figures. Bitner notes, "Ghostwriter is likely in operation within the Belarus government with close collaborations potentially with the Russian government" ([04:35]). This alignment suggests a dual objective: anti-NATO efforts and domestic suppression within Belarus.

Hagel points out the domestic targeting aspect, which involves propaganda dissemination and strategic malware operations against individuals like human rights activists and political opponents. "The domestic stuff is ultimately trying to push out propaganda, trying to blend with information ops," Hagel states at [04:21].

Technical Details of Attacks

A significant portion of the episode dissects the technical methodologies employed by Ghostwriter. Bitner outlines the evolution from traditional credential phishing to more sophisticated malware delivery systems. "Rather than trying to steal legitimate credentials and do a smash and grab, they're trying to maintain access to strategic target devices," he explains at [08:05].

The attack sequence involves:

1. Malicious Documents: Delivery via Google Drive links with highly targeted lures specific to the individual's interests or roles ([08:05]).
2. Excel Spreadsheets with VBA Macros: These contain obfuscated VBA code that, when executed, writes a DLL file to the target's temporary directory ([08:05]).
3. Persistence Mechanism: The DLL, referred to as the "Picasso Loader," establishes persistent access and allows for the deployment of additional malicious tools ([08:05]).

Bitner emphasizes the dual-stage process, highlighting the seamless transition from the Excel file to the malware download, which often evades endpoint protection systems through obfuscation techniques ([12:46]).

Sophistication and Impact

When questioned about the sophistication of Ghostwriter's tactics, Bitner provides a nuanced perspective. "The stealth isn't so great, the sophistication isn't high," he admits at [12:51]. However, he acknowledges the group's persistence and creativity in maintaining access and adapting their techniques to bypass security measures.

Despite the relatively low sophistication, Ghostwriter's impact is notable in their ability to infiltrate and conduct both espionage and information operations. Bitner remarks, "The combination of skill sets there are pretty diverse, and it speaks to me of an organization that gets a lot of backing and resources" ([15:06]).

The group's influence extends beyond immediate data theft, particularly through their successful information operations that shape narratives both locally and internationally. "The narratives that they are crafting and spreading have done quite well, making it to mainstream media locally within the region and western nations over time as well," Bitner observes at [17:33].

Recommendations for Protection

Addressing protective measures, Bitner offers several strategies for organizations and individuals to safeguard against Ghostwriter's tactics:

1. Email Filtering: Implement advanced filtering to block suspicious links, especially those pointing to platforms like Google Drive ([19:18]).
2. Endpoint Controls: Enforce strict controls on downloadable files and executable content. "If a file was downloaded, never seen in the network before, comes from an email address they've never seen before, it’s completely blocked," Bitner advises ([19:18]).
3. Disable Macros: While not foolproof, disabling macros in Excel can prevent initial exploit attempts. However, attackers may adapt by directing users to download malware directly ([20:51]).
4. Multi-layered Security Approach: Combining various security measures to detect and respond to intrusions effectively is crucial ([20:51]).
5. Forensic Preparedness: Maintain capabilities to perform forensics in the event of a breach to understand and mitigate impacts ([20:51]).

For individual users, especially those with limited security infrastructure, Bitner suggests using device-specific protections like Apple’s Lockdown Mode to enhance security ([21:37]).

Conclusion

The episode concludes with Dave Bitner urging listeners to not underestimate the simplicity of initial access methods used by threat actors like Ghostwriter. "Don't take the simplicity of the initial access method for granted," he emphasizes ([22:28]). The key takeaway is the importance of comprehensive research and proactive security measures to counteract even seemingly basic cyber threats.

Tom Hagel summarizes the importance of understanding Ghostwriter's multifaceted approach, reinforcing the need for continuous vigilance and adaptive security strategies to stay ahead in the ever-evolving cybersecurity landscape.

Notable Quotes

• Dave Bitner [02:22]: "Ghostwriter is an actor that we've been pretty closely tracking for some time."
• Tom Hagel [02:46]: "The research is titled Ghost New Campaign targets Ukrainian Government and Belarusian Opposition."
• Dave Bitner [04:35]: "Ghostwriter is likely in operation within the Belarus government with close collaborations potentially with the Russian government."
• Dave Bitner [08:05]: "They're trying to get maintained access to strategic target devices."
• Dave Bitner [12:51]: "The stealth isn't so great, the sophistication isn't high."
• Dave Bitner [17:33]: "The narratives that they are crafting and spreading have done quite well."
• Dave Bitner [19:18]: "If I was defending against this actor, I would be looking to email as a very strict method of the actor interacting with potential targets."
• Dave Bitner [22:28]: "Don't take the simplicity of the initial access method for granted."

This comprehensive summary encapsulates the critical discussions and insights shared in the episode, providing a clear understanding of Ghostwriter's operations, their impact, and actionable strategies for cybersecurity defense.