Ghostwriter (Threat Actor)

Ghostwriter (Back to overview)

aka: DEV-0257, PUSHCHA, Storm-0257, TA445, UAC-0057, UNC1151

Ghostwriter is referred as an 'activity set', with various incidents tied together by overlapping behavioral characteristics and personas, rather than as an actor or group in itself.

Associated Families

win.microbackdoor

References

2024-07-25 ⋅ SOC Prime ⋅ Veronika Telychko
UAC-0057 Attack Detection: A Surge in Adversary Activity Distributing PICASSOLOADER and Cobalt Strike Beacon
Cobalt Strike PicassoLoader Ghostwriter

2023-07-07 ⋅ Cert-UA ⋅ Cert-UA
UAC-0057 Targeted Cyber Attack Against Government Agencies Using PicassoLoader/njRAT (CERT-UA#6948)
PicassoLoader Ghostwriter

2023-06-16 ⋅ SOC Prime ⋅ Veronika Telychko
PicassoLoader and Cobalt Strike Beacon Detection: UAC-0057 aka GhostWriter Hacking Group Attacks the Ukrainian Leading Military Educational Institution
Cobalt Strike PicassoLoader Ghostwriter

2023-02-16 ⋅ Google ⋅ Shane Huntley
Fog of war: how the Ukraine conflict transformed the cyber threat landscape
APT28 Ghostwriter SaintBear Sandworm Turla

2022-07-20 ⋅ Mandiant ⋅ Mandiant Threat Intelligence
Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities
Cobalt Strike GraphSteel GrimPlant MicroBackdoor

2022-07-20 ⋅ U.S. Cyber Command ⋅ Cyber National Mission Force Public Affairs
Cyber National Mission Force discloses IOCs from Ukrainian networks
Cobalt Strike GraphSteel GrimPlant MicroBackdoor

2022-07-19 ⋅ Google ⋅ Billy Leonard
Continued cyber activity in Eastern Europe observed by TAG
CyberAzov APT28 Callisto Ghostwriter Sandworm Turla

2022-04-29 ⋅ AttackIQ ⋅ Francis Guibernau, Jackson Wells
Attack Graph Response to UNC1151 Continued Targeting of Ukraine
MicroBackdoor

2022-04-07 ⋅ InQuest ⋅ Nick Chalard, Will MacArthur
Ukraine CyberWar Overview
CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate

2022-03-25 ⋅ GOV.UA ⋅ State Service of Special Communication and Information Protection of Ukraine (CIP)
Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora RAT

2022-03-14 ⋅ ⋅ Qianxin ⋅ Red Raindrop Team
Analysis Of Attack Activities Of Suspected APT Organization UNC1151 Against Ukraine And Other Countries
MicroBackdoor

2022-03-08 ⋅ Cluster25 ⋅ Cluster25
GhostWriter / UNC1151 adopts MicroBackdoor Variants in Cyber Operations against Ukraine
MicroBackdoor

2022-03-07 ⋅ ⋅ Cert-UA ⋅ Cert-UA
UAC-0051 (UNC1151) Cyberattack on Ukrainian State Organizations Using MicroBackdoor Malware (CERT-UA#4109)
MicroBackdoor

2022-02-28 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
Meta: Ukrainian officials, military targeted by Ghostwriter hackers
Ghostwriter

2021-11-16 ⋅ Mandiant ⋅ Alden Wahlstrom, Alice Revelli, Ben Read, David Mainor, Gabriella Roncone, Mandiant Research Team, Sam Riddell
UNC1151 Assessed with High Confidence to have Links to Belarus, Ghostwriter Campaign Aligned with Belarusian Government Interests
Ghostwriter

2021-05-04 ⋅ Cr4sh
Cr4sh / MicroBackdoor : Small and convenient C2 tool for Windows targets
MicroBackdoor

2021-03-31 ⋅ Twitter (@hatr) ⋅ Hakan Tanriverdi
Tweet on Ghostwriter
Ghostwriter

2020-07-29 ⋅ FireEye ⋅ David Mainor, Gabby Roncone, Lee Foster, Sam Riddell
'Ghostwriter' Influence Campaign: Unknown Actors Leverage Website Compromises and Fabricated Content to Push Narratives Aligned With Russian Security Interests
Ghostwriter

Credits: MISP Project