CyberWire Daily

Excel-lerating cyberattacks. [Research Saturday]

Mar 22, 2025

Tom Hegel, Principal Threat Researcher at SentinelLabs, delves into the alarming tactics of the Ghostwriter cyber group targeting Ukraine and Belarus. He reveals how weaponized Excel documents are exploited in sophisticated malware attacks. The discussion highlights new obfuscation techniques and the strategic targeting of political opposition during wartime. Hegel emphasizes the importance of understanding basic cyber threats and fortifying defenses against relentless and clever attacks that can compromise even well-guarded systems.

26:43

Creator website

Episode guests

Tom Hegel

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

The Ghostwriter campaign utilizes sophisticated malware tactics, including weaponized Excel documents, to target Ukrainian and Belarusian political entities.

As cyber threats evolve, organizations must enhance email security and awareness, particularly for high-risk individuals such as human rights activists.

Deep dives

Ghostwriter's Targeting Strategy

Ghostwriter is a cyber threat actor that primarily targets Ukrainian government entities and the Belarusian opposition, particularly focusing on the election cycle in Belarus. This group's activity has historically been linked to the Belarusian government, with ties to Russian interests, showcasing their strategy to gather intelligence on Ukrainian military operations. Their attacks are aimed at destabilizing opposition, influencing domestic narratives, and pushing out propaganda to reinforce governmental control. The group's recent shift towards domestic targeting demonstrates their evolving tactics, transitioning from external missions to internal political suppression.

Intro

2min

Ghostwriter: Evolving Tactics in Cyber Threats

9min

Unpacking the Persistence and Craft of Cyberattacks

4min

Cyber Warfare and Defense Strategies

7min

The Importance of Investigating Simple Cyber Threats

2min

This week, we are joined by Tom Hegel, Principal Threat Researcher from SentinelLabs research team, to discuss their work on "Ghostwriter | New Campaign Targets Ukrainian Government and Belarusian Opposition." The latest Ghostwriter campaign, linked to Belarusian government espionage, is actively targeting Ukrainian military and government entities as well as Belarusian opposition activists using weaponized Excel documents.

SentinelLabs identified new malware variants and tactics, including obfuscated VBA macros that deploy malware via DLL files, with payload delivery seemingly controlled based on a target’s location and system profile. The campaign, which began preparation in mid-2024 and became active by late 2024, appears to be an evolution of previous Ghostwriter operations, combining disinformation with cyberattacks to further political and military objectives.

The research can be found here:

Ghostwriter | New Campaign Targets Ukrainian Government and Belarusian Opposition

Learn more about your ad choices. Visit megaphone.fm/adchoices

Remember Everything You Learn from Podcasts

Save insights instantly, chat with episodes, and build lasting knowledge - all powered by AI.

CyberWire Daily

Excel-lerating cyberattacks. [Research Saturday]

Episode guests

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

Ghostwriter's Targeting Strategy

Evolving Tactics and Malware Delivery

Defensive Recommendations for High-Risk Organizations

The research can be found here:

Remember Everything You Learn from Podcasts