A US cybersecurity firm is reporting on an ongoing cyber-influence operation code-named “Ghostwriter.” Recently obtained technical evidence suggests that UNC1151, a suspected state-sponsored cyber espionage actor, has targeted audiences in Lithuania, Latvia, and Poland with narratives critical of NATO’s presence in Eastern Europe. According to a Fire Eye report:
April 28, 2021 In July 2020, Mandiant Threat Intelligence released a public report detailing an ongoing influence campaign we named “Ghostwriter.” Ghostwriter is a cyber-enabled influence campaign which primarily targets audiences in Lithuania, Latvia and Poland and promotes narratives critical of the North Atlantic Treaty Organization’s (NATO) presence in Eastern Europe. Since releasing our public report, we have continued to investigate and report on Ghostwriter activity to Mandiant Intelligence customers. We tracked new incidents as they happened and identified activity extending back years before we formally identified the campaign in 2020. A new report by our Information Operations analysis, Cyber Espionage analysis, and Mandiant Research teams provides an update on Ghostwriter, highlighting two significant developments.
We have observed an expansion of narratives, targeting and TTPs associated with Ghostwriter activity since we released our July 2020 report. For example, several recent operations have heavily leveraged the compromised social media accounts of Polish officials on the political right to publish content seemingly intended to create domestic political disruption in Poland rather than foment distrust of NATO. These operations, conducted in Polish and English, appear to have largely not relied on the dissemination vectors we have typically observed with previous Ghostwriter activity, such as website compromises, spoofed emails or posts from inauthentic personas. We have observed no evidence that these social media platforms were themselves in any way compromised, and instead believe account credentials were obtained using the compromised email accounts of targeted individuals.
Recently obtained technical evidence now allows us to assess with high confidence that UNC1151, a suspected state-sponsored cyber espionage actor that engages in credential harvesting and malware campaigns, conducts at least some components of Ghostwriter influence activity.
Read the full report here.
UNC1151, the cyberespionage group tracked by Fire Eye, has not yet been linked to any known influence actor, but the influence operation aligns with Russian interests. According to US cybersecurity media, UNC1151 has been running operations aimed at credential harvesting and malware delivery through spear-phishing attacks. The credentials stealing attacks targeted government, military, and media organizations in Poland, Ukraine, and Baltic countries, but the group was also observed attempting to compromise the accounts of other entities of interest, including journalists and activists.
Russia is a prolific actor in the influence operations space. It is particularly well known for its attempts to interfere in the elections of democratic countries, particularly in the United States. Most of its influence operations appear to be conducted via cyber activities.
In April, we reported about a NATO study assessing Lithuania’s countermeasures directed at Russian disinformation