For at least four years, the hacking and misinformation group known as “Ghostwriter” has been operating uncontrollably in Eastern Europe and the Baltic states. Given the group’s methods – and the messages it sends against NATO and the United States – the widespread assumption was that “Ghostwriter” hackers are another campaign led by the Kremlin and Russian President Vladimir Putin. The European Union even said in late September that some Member States had “linked” Ghostwriter “to the Russian state”. As it turns out, this is not right. According to information and threat assessment firm Mandiant, Ghostwriter hackers are working for Belarus.
Mandiant first took a close look at Ghostwriter in July 2020. The team was then known for creating and distributing fake news articles and even for hacking into news websites to publish misleading content. By April 2021, Mandiant had expanded into Ghostwriter, including operations to breach government officials’ social media accounts to spread misinformation and hack and leak targeting policies. The group has long focused on undermining NATO’s role in Eastern Europe and is increasingly focusing on sparking political divisions or instability in Poland, Ukraine, Lithuania, Latvia and Germany.
At the Cyberwarcon conference in Washington, DC, on Tuesday, Mandiant analysts Ben Read and Gabby Roncone presented data on Ghostwriter’s ties to Belarus. “Activism targeting Eastern Europe and anti-NATO intelligence operations is in line with what we have seen Russia do in the past,” Reed told WIRED ahead of the conference. Despite these well-known tactics, techniques and procedures, Mandiant did not refer to Moscow at the time because it had not seen specific digital links.
Following the controversial elections in Belarus in August 2020, longtime President Alexander Lukashenko remained in power amid accusations that opposition leader Sviatlana Tsihanuskaya had indeed won. The United States has called for an end to the election, and many of Belarus’s neighbors, including Poland, have made it clear that they support the Belarussian opposition. During this time, Mandiant noticed a noticeable change in Ghostwriter’s campaigns.
“We have seen a shift in a much larger focus on specific issues of Belarus – targeting Belarusian dissidents, Belarusian media, actions that really seem to be done in support of the Belarussian government,” Read said. “And then we also came across technical details that lead us to believe that the pilots are in Minsk and some others who are hinting at the Belarussian army. “This brings us to the point now where we are confident that Ghostwriter has a connection to Belarus.”
Shane Huntley, who heads Google’s Threat Analysis Team, says the Mandiant research is in line with TAG’s own findings. “Their report is consistent with what we have observed,” he told WIRED. As the group’s activity increasingly implied a special “Belarusian agenda” over the summer, Mandiant worked to unravel who was really behind the campaigns. Since last year’s election, 16 of Ghostwriter’s 19 misinformation companies have focused on highly derogatory stories about the governments of Lithuania and Poland, neighboring Belarus. Two focused negatively on NATO and one criticized the EU.
Follow Skai.gr on Google News
and be the first to know all the news
.
