‘Ghostwriter’ Looks Like a Purely Russian Op—Except It’s Not

DMCA / Correction Notice
- Advertisement -

for at least In the four years since, known hacking and propaganda groups have plagued Ghostwriters in Eastern Europe and the Baltic countries. Given its methods and its anti-NATO and anti-US messages – there has been a widely held belief that Ghostwriters is another Kremlin-led campaign. European Union too declared At the end of September that some member states have “affiliated” Ghostwriters “with the Russian state”. As it turned out, this is not quite right. According to threat intelligence firm Mandient, Ghostwriter’s hackers work for Belarus.

- Advertisement -

Mandiant first took a closer look at Ghostwriter in July 2020. The group was then primarily known for creating and distributing fake news articles and even hacking real news sites to post misleading content. As of April 2021, Mandiant held Ghostwriters responsible for widespread activity, including attempts to compromise social media accounts of government officials to spread misinformation, and to target politicians with hacking and leaking operations. The group has long focused on reducing NATO’s role in Eastern Europe, and has turned increasingly to increasing political divisions or instability in Poland, Ukraine, Lithuania, Latvia and Germany.

At the CyberwarCon conference in Washington, DC on Tuesday, Mandiant analysts Ben Reid and Gabby Roncon are presenting evidence of the Belarusian Ghostwriter’s ties.


“Credential theft activity targeting Eastern Europe and anti-NATO information campaigns are both lined up with what Russia has seen doing in the past,” Reid told Nerdshala ahead of the conference. Despite those familiar tips, techniques, and procedures, Mandiant gave Moscow no credit at the time, as he had not seen specific digital links.

After Belarus’ controversial elections in August 2020, longtime President Alexander Lukashenko retained power amid allegations that opposition leader Svyatlana Tsikhanovskaya had in fact won. The US condemned the election, and many of Belarus’ neighbors, including Poland, made it clear that they supported the Belarusian protest. During this time, Mandiant saw a marked change in Ghostwriter’s campaigns.

- Advertisement -

“We saw a shift in focus to a lot more on Belarus-specific issues – Belarusian dissidents, targeting Belarusians in the media, things that really look like they are organized in support of the Belarusian government,” Reid he said. “And then we also stumbled upon technical details that we think the operators are based in Minsk and some others that hint at the Belarusian military. This brings us now to the point where we have confidence to say that Ghostwriter’s Link to Belarus.

Shane Huntley, who leads Google’s Threat Analysis Group, says the Mandiant research fits with TAG’s own findings. “Their reports are in line with what we have seen,” he told Nerdshala.

As the group’s activity hinted more and more into the particularly Belarusian agenda over the summer, Mandiant worked to find out who was really behind the campaigns. Since last year’s election, 16 of 19 ghostwriter disinformation operations focused on narratives that humiliate the Lithuanian and Polish governments, Belarus’ neighbors. Two focused negatively on NATO and one criticized the European Union.

In August a ghostwriter operation centered on Poland and Lithuania led to a false narrative accusing migrants of committing crimes. Long-running tensions between Poland and Belarus have risen dramatically in recent weeks as a flashpoint along the border. Other recent operations have alleged accidents at Lithuania’s nuclear power plants, perhaps because Lithuania has long opposed Belarus’s proximity to the Astravets nuclear plant border. State television in Belarus has picked up and repeated the ghostwriter misinformation narratives, although it is not clear whether this was the result of specific coordination or part of a general feedback loop of pro-Belarusian government propaganda. Read also points out that Ghostwriters has not focused on Estonia – a Baltic state that does not border Belarus.

Although Mandient is not publicly releasing details of its evidence, the researchers say technical indicators link ghostwriter activity to the Belarusian government and individuals in Minsk. Additional clues potentially reveal a specific connection to the Belarusian military. The researchers say they observed these connections directly and confirmed them with outside sources as well. Also read the note that among the governments that Ghostwriters have targeted, the group usually focuses on the ministries of defense rather than the ministries of foreign affairs, which may suggest a focus on military intelligence.

Lukasz Olejnik, an independent cybersecurity researcher and consultant who has followed Ghostwriters’ influence in Eastern Europe, says some of the group’s activity, particularly political leaking operations, has been significant in countries such as Poland. “I do not know what the objectives of these operations were, but I would risk to say that some of them were successfully achieved,” he says. “This is the most significant politically or militarily motivated cyber operation targeting the eastern parts of the European Union.”

Ghostwriter operations aren’t the most technically sophisticated, Reid says, but the group seems completely independent and doesn’t overlap infrastructure with other known groups that Mandient has observed. Hackers use their own malware rather than open source or publicly available tools and seemingly have their own public cloud infrastructure.

The fact is that the European Union and other researchers have attributed the ghostwriters to Russia, but Read says these findings are not necessarily in conflict, especially given that governments have varying visibility and evidence available. can be.

“Belarus and Russia have a long political union, so I cannot say that Russia is not involved,” Read says. “But what we’ve picked up on is that we don’t see anything connecting them right now.”

  • The latest on tech, science and more: Receive our newsletter!
  • Blood, Lies, and Drug Testing Lab Destroyed
  • Age of Empires IV wants to teach you a lesson
  • New sex toy standards let some sensitive details slide
  • What’s the new MacBook Pro found?
  • cancel culture math
  • ️ Explore AI like never before with our new database
  • From robotic vacuums to affordable mattresses to smart speakers, customize your home life with the best picks from our Gear team


- Advertisement -

Stay on top - Get the daily news in your inbox

Recent Articles

Related Stories