Security news that informs and inspires

Ghostwriter Influence Campaign Linked to Espionage Threat Group


Researchers have linked parts of a previously disclosed influence campaign, which they call Ghostwriter, to the UNC1151 threat group “with high confidence.”

The Ghostwriter influence campaign was first disclosed in July, primarily targeting Lithuania, Latvia and Poland. The campaign has since expanded both its targeting and its tactics, techniques and procedures (TTPs) as seen in over 20 additional incidents, said researchers with FireEye Mandiant in a Wednesday report. As part of these incidents, researchers found technical evidence that allowed them to link some parts of the campaign to UNC1151, an espionage group that has not been associated with other previously tracked threat groups.

Lee Foster, senior manager of the information operations analysis team at FireEye, said that the new discoveries around Ghostwriter are important to track, as Eastern Europe has often been a popular testbed for various influence tactics that have over time migrated elsewhere.

“It’s always worth keeping a close eye on campaigns like this… we’ve seen before how these can be readily deployed elsewhere so it’s important to know what actors are doing and how they are evolving so we can continue from a mitigation perspective to proactively defend against these types of threats," said Foster.

In July, researchers uncovered the campaign spreading narratives that aimed to discredit the North Atlantic Treaty Organization (NATO) - an intergovernmental military alliance between 30 North American and European countries (including the three targeted countries, Lithuania, Latvia and Poland) - and its presence in Eastern Europe. The campaign, which had been ongoing since 2017, was using compromised news website content management systems (CMS) to spread false reports of correspondence from military officials, fake quotes from political figures and more.

Since this initial discovery, researchers found that the Ghostwriter campaign has expanded its TTPs; in addition to the initial attack vector of leveraging compromised websites, attackers are now compromising actual social media accounts - on Twitter, Facebook and Instagram - of Polish officials in order to publish falsified content. Researchers believe that in order to compromise the accounts, attackers obtained credentials of the officials using compromised email accounts.

“What’s interesting on the social media side here is the compromise of legitimate accounts to do this, rather than impersonating the accounts, because then you’ve got ready access to the followers of that account, and you have the credibility of the content that’s being pushed by that account,” said Foster.

In January, for example, a tweet was published on the compromised Twitter account of Poland’s deputy minister of development, labor, and technology, Iwona Michałek. The tweet falsely indicated that Michałek no longer wanted to be affiliated with the right-wing Law and Justice (PiS) party in Poland.

"What’s interesting on the social media side here is the compromise of legitimate accounts to do this, rather than impersonating the accounts, because then you’ve got ready access to the followers of that account, and you have the credibility of the content that’s being pushed by that account."

The aim of these more recent campaigns appears to also have shifted from creating distrust of NATO, to instead creating political disruption in order to widen domestic political divisions, said researchers.

Previously, researchers assessed with “moderate confidence” that the operations were aligned with Russian security interests – however, they shied away from attributing the campaign to a specific actor or group of actors. Now, researchers are connecting parts of the campaign to UNC1151, due to multiple artifacts, emails and documents linked to UNC1151 that were used as part of the Ghostwriter campaign.

For example, researchers pointed to a copy of a forged letter, linked to UNC1151, which was purportedly sent from NATO Secretary General Jens Stoltenberg to Lithuanian Minister of National Defense Raimundas Karoblis announcing the withdrawal of NATO forces from Lithuania due to COVID-19 concerns. This document was previously used as part of an April 2020 Ghostwriter operation. In another instance, they connected the infrastructure used in Ghostwriter operations against Lithuanian media entities with that used by UNC1151 in credential harvesting operations.

Of note, due to “current intelligence gaps,” including a lack of information about the website compromises related to the campaign, researchers said they are not conclusively attributing all aspects of the Ghostwriter campaign to UNC1151.

UNC1151, which has been linked to activity starting in 2017, has previously conducted various campaigns aimed at stealing credentials and delivering malware, with its previous targets including government, military and media entities in Poland, Ukraine and the Baltics. An "UNC group" is FireEye's designation for a cluster of intrusion activity - such as infrastructure, tools, and tactics — for which researchers are not yet ready to give a classification (such as APT).

Researchers said, the group has used various domains mimicking major web services and host pages designed to trick victims into entering their credentials. It has also distributed malware via spear-phishing emails with malicious attachments. Researchers warned that since the start of 2021, UNC1151 has also started to expand its credential theft activity to target German politicians.

“The targeting of German individuals has been reported in the German media… We believe that this reporting is referring to credential theft activities conducted by UNC1151,” said researchers. “We have not seen follow-on operations using any potentially stolen credentials.”