‘Ghostwriter’ Looks Like A Purely Russian Op – Except Not
For the least four years, hacking and disinformation group known to have Ghostwriter plaguing the countries of Eastern Europe and the Baltics. Because of its methods — and its anti-NATO and anti-US messages — the widespread assumption is that Ghostwriter is another Kremlin -led campaign. Even the European Union declared at the end of September that some member states “joined” Ghostwriter “in the Russian state.” As you know, that’s not right. According to the threat intelligence company Mandiant, Ghostwriter hackers are working for Belarus.
Mandiant checked carefully in Ghostwriter in July 2020. The group was previously best known for creating and distributing fake news articles and even hacking real news sites to post misleading content. By April 2021, Mandiant blamed Ghostwriter’s broader activity, including operations to compromise the social media accounts of government officials to spread misinformation and efforts to target politicians with hacking and leaking operations. The group has long focused on undermining NATO’s role in Eastern Europe, and has increasingly turned to provoking political division or instability in Poland, Ukraine, Lithuania, Latvia, and Germany.
At the Cyberwarcon conference in Washington, DC on Tuesday, Mandiant analysts Ben Read and Gabby Roncone presented evidence of the Ghostwriter relationship in Belarus.
“The credential theft activity targeting Eastern Europe and anti-NATO information operations are both in line with what we have seen Russia do in the past,” Read told WIRED before the conference. Despite familiar tactics, techniques, and methods, Mandiant in Moscow did not make an identification at the time, as they did not find specific digital links.
After Belarus’s controversial elections in August 2020, longtime President Alexander Lukashenko remained in power amid accusations that opposition leader Sviatlana Tsikhanouskaya actually won. The U.S. has criticized the election and many of Belarus ’neighbors, including Poland, have made it clear that they support the Belarusian opposition. During this time, Mandiant observed a dramatic change in Ghostwriter’s campaigns.
“We have seen a shift to a much greater focus on Belarus-specific issues — targeting Belarusian dissidents, Belarusians in the media, things that are exactly what they are doing to support the Belarusian government,” he said. as Read. “And then we also stumbled upon the technical details that made us think the operators were located in Minsk and so on identifying the Belarusian military. That brings us to the point now where we are confident to say that Ghostwriter has a link to Belarus. ”
Shane Huntley, who heads Google’s Threat Analysis Group, says Mandiant’s research fits in with TAG’s self-awareness. “Their report is in line with what we’ve observed,” he told WIRED.
While the group’s activity suggests more of a specific Belarusian summer agenda, Mandiant is working to eliminate who really backs the campaigns. Since last year’s election, 16 of 19 Ghostwriter disinformation operations have focused on accounts that denigrate the Lithuanian and Polish governments, neighbors of Belarus. Both point negatively at NATO and one criticizes the EU.
A Ghostwriter operation in August that focused on Poland and Lithuania pushed a false account accusing migrants of committing crimes. Long-standing tensions between Poland and Belarus have escalated so much in recent weeks that the border has served as a flashpoint. Other recent operations say accidents at Lithuania’s nuclear power plants, probably because Lithuania has long opposed the proximity of Belarus’s Astravyets nuclear plant to its border. Belarusian state television took reports of Ghostwriter’s misinformation and repeated them, although it was unclear whether it was the result of specific coordination or just part of a general feedback loop of pro-government propaganda. in Belarus. Read also points out that Ghostwriter does not focus on Estonia — a Baltic state without a border with Belarus.