A disinformation campaign, called the Ghostwriter (UNC1151), identified in 2020, but operating since 2017 in Eastern European countries, was associated by Mandiant researchers, like an internal operation of the Belarusian government to benefit the interests of the country’s current political representatives.
According to Mandiant researchers, unlike traditional disinformation campaigns where criminals abuse social media to share false news en masse, Ghostwriter campaigns use specific procedures (which include email theft from journalists) to impersonate major news portals and thereby e-mail malicious content to victims.
“We have determined that UNC1151 uses GoPhish to send emails, including cyber espionage and the dissemination of fake content. They often spoof email addresses and email delivery services such as SMTP2GO to legitimate themselves. [Também] utilize credential harvesting domains in an attempt to spoof webmail providers, generic login pages, and the legitimate websites of their targets“, the researchers write in a report published on Tuesday (16).
Ghostwriter fake content includes false news, out of context, out of time, lies and even false documents, which claim to come from the government, police and army of the victim countries. This false information is sent to residents of Eastern European countries, but mainly Poland, Latvia and Lithuania.
Another aspect of the group’s attack is the fabrication of false claims associated with sources of journalistic interest, that are sent to journalists to legitimately publish them, even if they are faked.
As is the case with the news “Coronavirus strikes Latvia” from the pEdNews portal, where it was falsely claimed by a lieutenant colonel in the Latvian army, that 21 soldiers had been diagnosed with COVID-19.
According to researchers, since the August 2020 elections, 16 of the group’s 19 operations have promoted narratives against the governments of Poland and Lithuania. In Belarus, opposition members who were victims of this defamation campaign were arrested by the local police after being identified as criminals, even on the basis of false statements disclosed by the group.
Mandiant explains that there is no way to affirm an involvement between the Ghostwriter group and Russia, but when analyzing the campaigns, it is possible to find a lot of similarity of political interests. That is why, a relationship between Russia, Belarus and the Ghostwriter group cannot be ruled out.
“The Belarusian sponsorship of UNC1151 and links to Ghostwriter operations show the accessibility and denial of provocative intelligence operations. Although the cyber espionage operation was regionally focused and primarily took advantage of an open source platform to steal credentials, it was able to support impactful information operations. These types of cyber operations are one of the many tools that governments use to achieve their goals, and they do not exist in a vacuum, but are leveraged alongside other types of operations.“, the researchers conclude.