Editor’s Note: As cyber warfare intensifies alongside geopolitical tensions, Ukraine remains a focal point for sophisticated cyberattacks. The resurgence of UAC-0173 and Ghostwriter underscores the persistent and evolving threats facing governmental institutions, particularly in conflict-affected regions. This article delves into the latest cyber-espionage campaigns targeting Ukrainian state infrastructure and opposition groups, revealing how attackers exploit vulnerabilities to manipulate critical systems and exfiltrate sensitive data. For cybersecurity, information governance, and eDiscovery professionals, these developments highlight the urgent need for advanced defense strategies, international cooperation, and proactive cyber resilience in an era of escalating digital warfare.

Industry News – Cybersecurity Beat

Escalating Cyber Warfare: Ukraine Faces Renewed Digital Threats

ComplexDiscovery Staff

In the shifting landscape of modern cybersecurity, the resurgence of UAC-0173, a sophisticated cybercriminal group, highlights the persistent and evolving threats faced by governmental institutions, particularly in conflict-affected regions like Ukraine. This group, known for its targeted cyberattacks on Ukrainian state infrastructure, has recently expanded its focus to notary offices, attempting to gain unauthorized remote access to notary computers and manipulate state registers for financial gain. As reported by the Governmental Computer Emergency Response Team of Ukraine (CERT-UA) on February 25, 2025, these activities form part of a broader cyber-espionage campaign designed to destabilize Ukraine’s public records systems during a period of heightened geopolitical tension.

The first signs of UAC-0173’s latest attacks were observed on February 11, 2025, when malicious activity targeting notary offices began surfacing. The group utilized deceptive email communications masked as official correspondence from Ukraine’s Ministry of Justice. These emails contained links to malicious files, such as “HAKA3.exe” and “Order of the Ministry of Justice of February 10, 2025 No. 43613.1-03.exe,” which, when opened, deployed the DARKCRYSTALRAT (DCRAT) malware, laying the groundwork for extensive system exploitation. This malware facilitated initial access to the targeted systems, whereby attackers then installed further malicious software like RDPWRAPPER, allowing multiple Remote Desktop Protocol (RDP) sessions and bypassing local security measures. This approach not only guaranteed access but also made their nefarious activities difficult to trace.

The tools leveraged by UAC-0173, including the FIDDLER proxy/sniffer tool and the XWORM stealer, were integral to this campaign. These instruments served to intercept login credentials used in state register web interfaces and exfiltrate sensitive data from infected systems. Moreover, the attackers deployed sophisticated malware deployment strategies, utilizing legitimate file storage services to host these malicious files, thereby evading traditional security detections.

CERT-UA’s rapid response, in collaboration with Ukrainian cybersecurity agencies such as the Cybersecurity Commission of the Notarial Chamber and law enforcement, played a crucial role in identifying and mitigating these attacks. By isolating and securing compromised systems across six Ukrainian regions, they helped prevent further data manipulation. Furthermore, the guidance provided to notaries on system configurations fortified defenses against future incursions, although the demand for unauthorized modifications to state registers indicates the likelihood of continued attacks by UAC-0173.

This cyber-espionage campaign highlights the paramount importance of international cooperation and comprehensive defense strategies in combating organized cybercrime. Notaries have been urged to maintain heightened vigilance and report any suspicious activity immediately to enable timely interventions. The collaboration between CERT-UA, Ukraine’s Ministry of Justice, and law enforcement agencies remains integral in fending off these sophisticated cyber adversaries.

Ghostwriter and Belarusian Espionage Ties

In a parallel situation, the Ghostwriter Advanced Persistent Threat (APT) group, also known as UNC1151 or UAC-0057, has intensified its cyber-espionage operations against Ukrainian government and military entities, as well as opposition groups in Belarus. The campaign, which had been in preparation since July-August 2024, became active in November-December 2024.

Ghostwriter’s cyber operations have been closely linked with Belarusian government espionage efforts, aligning with broader state-sponsored objectives. The timing of these cyberattacks coincides with key geopolitical events, including the Belarusian presidential election on January 26, 2025. These activities appear to be strategically designed to target opposition groups and disrupt Ukrainian government operations during a politically sensitive period.

Ghostwriter employs sophisticated methodologies, including weaponized Excel files embedded with malicious macros, specifically designed to deliver malware payloads surreptitiously. The attack strategy follows an insidious approach, utilizing phishing emails embedded with links to Google Drive-hosted archives, thereby delivering Excel files cloaked as reports on political prisoners or anti-corruption efforts. Some of the malicious Excel file names identified in this campaign include “Political Prisoners in Minsk Courts” and “Anti-Corruption Initiative”—both designed to appear as legitimate documents relevant to opposition groups and civil society organizations. These documents entice victims into enabling macros, which in turn activate obfuscated Visual Basic for Applications (VBA) scripts, unleashing a ripple effect of malicious operations. Such tactics facilitate the deployment of PicassoLoader, a downloader malware variant tailored for this campaign, exploiting advanced obfuscation techniques to circumvent security software.

Ghostwriter’s operational precision involves targeting select victims, increasing the likelihood of success while reducing detectability. Their strategic use of payload delivery further entrenches their ability to infiltrate high-value Ukrainian targets. SentinelOne reports that the campaign’s timing aligns with significant geopolitical developments, highlighting the persistent threat posed by cyber adversaries using advanced techniques to compromise security frameworks.

Organizations within the affected regions have been advised to bolster cybersecurity defenses by disabling macros in Office documents and implementing rigorous email filtering solutions.

Cyber Threats and the Future of Digital Security

The resurgence of cybercriminal entities like UAC-0173 and Ghostwriter underscores the critical need for vigilant cybersecurity practices and international cooperation. As cyber warfare continues to evolve alongside geopolitical tensions, governmental cybersecurity teams and international partners must remain proactive in countering these persistent threats. Strengthening digital defenses, fostering intelligence-sharing networks, and deploying advanced threat detection measures will be essential in safeguarding critical infrastructure and ensuring the stability of national security frameworks in an era of growing cyber conflict.

News Sources

Assisted by GAI and LLM Technologies

Additional Reading

Source: ComplexDiscovery OÜ

The post Escalating Cyber Warfare: Ukraine Faces Renewed Digital Threats appeared first on ComplexDiscovery.