Ghostwriter Phishes Ukraine Government Officials

The Belarus-aligned hacking group Ghostwriter is using phishing emails disguised as a popular Ukrainian learning platform to target government organizations.

The Belarus-aligned threat actor known as Ghostwriter is targeting Ukrainian government organizations with a new phishing campaign. According to Ukraine's Computer Emergency Response Team (CERT-UA), the group is sending malicious emails that impersonate Prometheus, a legitimate Ukrainian online learning platform. These emails are designed to trick government employees into clicking malicious links or opening compromised attachments, ultimately leading to system compromise. This operation is the latest in a series of cyberattacks attributed to Ghostwriter, also tracked as UAC-0057 and UNC1151, which has a history of targeting entities in Ukraine and other NATO countries. The choice of a well-known local service as a lure is a calculated social engineering tactic intended to increase the credibility of the phishing attempt.

This campaign highlights the persistent and evolving nature of cyber threats in geopolitical conflicts. By leveraging a trusted local brand, Ghostwriter demonstrates a sophisticated understanding of its target environment, making its attacks more difficult to detect. For security teams and IT departments, this serves as a critical reminder that attackers are constantly refining their methods to bypass technical defenses by exploiting human trust. The primary targets are government entities, but the techniques used could easily be adapted to target businesses. The incident underscores the importance of continuous security awareness training, particularly focused on identifying and reporting suspicious emails, even when they appear to come from familiar sources.

This campaign shows how state-aligned actors use localized, trusted brands in phishing attacks to increase their effectiveness, posing a significant threat to government security.

The tactics used by Ghostwriter, such as impersonating trusted local services, can be easily adapted to target businesses. This increases the risk of corporate espionage, data theft, and operational disruption, highlighting the need for robust employee security training.