Threat actor uncovered targeting Poland, Ukraine


The threat group uses malicious Microsoft Office files to target governmental and military organizations, as well as civilians, in Poland and Ukraine.

The aim of the attacks is “very likely” to steal information and gain remote access, according to Cisco Talos, a cybersecurity firm, which traced a string of operations to April last year.

“The actor is focusing on Ukrainian and Polish government and military targets, based on the content of Excel and PowerPoint lures that include official-looking images and text,” Cisco Talos said.

The latest attack occurred as recently as earlier this month, demonstrating the “persistent nature” of the threat, the firm said in a blog post.

Ukraine’s Computer Emergency Response Team (CERT-UA) has attributed the latest attack to a threat actor known as UNC1151, which is believed to be part of the Ghostwriter campaign linked to the Belarusian government.

Previous targets of the attacks analyzed by Cisco Talos included Poland’s Ministry of National Defence and the Ministry of Defence or Ukraine, but general users and businesses were also targeted, according to the firm.

“The generic campaigns are aimed at various civilian targets in Poland and Ukraine, such as with Excel spreadsheet lures masquerading as value-added tax (VAT) return forms,” Cisco Talos said.

Other lures included Excel spreadsheets that contain “socially engineered instructions on how to enable macros in Excel so that the malicious VBA code can be executed,” it added.

talos_0714
Image by Cisco Talos

According to cybersecurity experts, the attacks use a multistage infection chain initiated by malicious Microsoft Office documents, most commonly Microsoft Excel and PowerPoint files.

“This was followed by an executable downloader and payload concealed in an image file, likely to make its detection more difficult,” Cisco Talos said.

It noted that PowerPoint files were “more unusual” because they would execute malicious VBA code without showing any actual slides when opened.

In contrast, all Excel files would display legitimate-looking documents, including payslips for soldiers of specific military units.