Ghostwriter Phishing Campaign Uses Prometheus Lures to Target Ukrainian Government Entities
What Happened — The Belarus‑aligned threat actor Ghostwriter (also known as UNC1151) has been distributing phishing emails that masquerade as communications from Prometheus, a popular Ukrainian e‑learning platform. The messages are aimed at ministries, agencies, and other government bodies in Ukraine.
Why It Matters for TPRM —
- Phishing attacks can lead to credential theft, enabling deeper compromise of third‑party services used by government agencies.
- Successful credential compromise may expose sensitive data shared with external vendors or cloud providers.
- Early awareness allows organizations to tighten email security controls and educate staff, reducing supply‑chain risk.
Who Is Affected — Government ministries, regulatory bodies, and any public‑sector entities that rely on email communications with Ukrainian officials.
Recommended Actions —
- Review and harden email filtering rules for all government‑related domains.
- Conduct phishing awareness training focused on lures tied to local services (e.g., Prometheus).
- Verify that privileged accounts use multi‑factor authentication and have limited access to third‑party systems.
Technical Notes — Attack vector: spear‑phishing emails with malicious links or attachments. No specific CVEs disclosed. Potential data types at risk include login credentials, internal communications, and any downstream data accessed with compromised accounts. Source: The Hacker News