Researchers from Mandiant Threat Intelligence have claimed with high confidence that the Ghostwriter (UNC1151) disinformation campaign is associated with the government of Belarus. It was spotted spreading fake news content on compromised news websites in August 2020.
The Belarus connection
Mandiant Threat Intelligence evaluates with high confidence that UNC1151 is associated with the Belarusian government and provided technical support to the Ghostwriter campaign.
The campaign tried to infiltrate multiple Belarusian media entities and several members of the opposition parties in the year before the 2020 Belarusian election.
While the group did not target Russian or Belarusian state entities, media entities in Lithuania, Poland, Ukraine, and Latvia were on its target list.
Researchers also noted that some individuals targeted by UNC1151 before the 2020 Belarusian election were later arrested by the Belarusian government.
The sensitive technical information collected by the researchers implies that the attackers were possibly operating from Minsk, a city of Belarus controlled by the Belarusian Military. These connections with the location were confirmed via various sources, which provided a strong indication of the involvement of Belarusian threat actors.
However, researchers further stated that Russian contributions can not be ruled out.
The GhostWriter campaign
The GhostWriter campaign has been active since March 2017 and as per earlier research, it was believed to be working for Russian interests.
The attackers behind this GhostWriter campaign had compromised Content Management Systems (CMS) of news websites or spoofed email accounts to propagate fake news.
They replaced existing genuine articles on the sites with fake ones, instead of creating new posts.
They spread falsified news articles, correspondence, quotes, and other documents that appear to be sent from political figures and military officials in the target countries.
The campaign targeted specific states members of the alliance, such as Lithuania, Poland, and Latvia.
The recent information regarding the GhostWriter campaign shows how nation-states involve themselves in cyberattacks for their national interests. Moreover, many private sector organizations have been caught in the crossfire of such state-sponsored cyber operations across the globe.