In July 2020, a cyber-enabled influence campaign, dubbed Ghostwriter, was spotted. It mainly targeted Poland, Lithuania, and Latvia. However, based on some developments reported by researchers, the campaign has been attributed to an uncategorized threat actor.

Key findings

  • Between October 2020 and January 2021, five new Ghostwriter-related activities were conducted in both English and Polish.
  • The operations used compromised Facebook, Twitter, and Instagram accounts of Polish officials.
  • The operations aimed at discrediting the ruling political coalition.

Operation trends

The incidents shared consistent themes:
  • Two spread compromising photos of officials and people they are connected with.
  • Two spread false allegations about respective officials criticizing female activists.
  • One disseminated rumor about an official wanting to relinquish her affiliation with the PiS party.


  • Parts of the campaign have been connected to UNC1151 as several emails, artifacts, and documents linked to the threat actor were used in the Ghostwriter campaign.
  • The narratives, chronology, and content of at least 13 emails sent to various Europe and U.S.-based media outlets by UNC1151 lined up with previous Ghostwriter operations.
  • Technical indicators point that the email accounts belonging to Polish officials were compromised by the threat group during the same timeframe they were used in the Ghostwriter campaign.

The bottom line

UNC1151 has not been connected to any known threat actor and is primarily involved in credential harvesting and malware delivery via spear-phishing attacks. The expansion of the narratives and tactics, techniques, and procedures (TTPs) of the Ghostwriter campaign suggests that at least some parts of the campaign are conducted by this threat actor. Nevertheless, current intelligence gaps did not allow researchers to conclusively attribute Ghostwriter to UNC1151.

Cyware Publisher