State-Sponsored Cyber Espionage Group Behind Anti-NATO Cyber Influence Operation Targeting Lithuania, Latvia and Poland

A US cyber­se­cu­ri­ty firm is report­ing on an ongo­ing cyber-influ­ence oper­a­tion code-named “Ghost­writer.” Recent­ly obtained tech­ni­cal evi­dence sug­gests that UNC1151, a sus­pect­ed state-spon­sored cyber espi­onage actor, has tar­get­ed audi­ences in Lithua­nia, Latvia, and Poland with nar­ra­tives crit­i­cal of NATO’s pres­ence in East­ern Europe. Accord­ing to a Fire Eye report:

April 28, 2021 In July 2020, Man­di­ant Threat Intel­li­gence released a pub­lic report detail­ing an ongo­ing influ­ence cam­paign we named “Ghost­writer.” Ghost­writer is a cyber-enabled influ­ence cam­paign which pri­mar­i­ly tar­gets audi­ences in Lithua­nia, Latvia and Poland and pro­motes nar­ra­tives crit­i­cal of the North Atlantic Treaty Organization’s (NATO) pres­ence in East­ern Europe. Since releas­ing our pub­lic report, we have con­tin­ued to inves­ti­gate and report on Ghost­writer activ­i­ty to Man­di­ant Intel­li­gence cus­tomers. We tracked new inci­dents as they hap­pened and iden­ti­fied activ­i­ty extend­ing back years before we for­mal­ly iden­ti­fied the cam­paign in 2020. A new report by our Infor­ma­tion Oper­a­tions analy­sis, Cyber Espi­onage analy­sis, and Man­di­ant Research teams pro­vides an update on Ghost­writer, high­light­ing two sig­nif­i­cant developments.

We have observed an expan­sion of nar­ra­tives, tar­get­ing and TTPs asso­ci­at­ed with Ghost­writer activ­i­ty since we released our July 2020 report. For exam­ple, sev­er­al recent oper­a­tions have heav­i­ly lever­aged the com­pro­mised social media accounts of Pol­ish offi­cials on the polit­i­cal right to pub­lish con­tent seem­ing­ly intend­ed to cre­ate domes­tic polit­i­cal dis­rup­tion in Poland rather than foment dis­trust of NATO. These oper­a­tions, con­duct­ed in Pol­ish and Eng­lish, appear to have large­ly not relied on the dis­sem­i­na­tion vec­tors we have typ­i­cal­ly observed with pre­vi­ous Ghost­writer activ­i­ty, such as web­site com­pro­mis­es, spoofed emails or posts from inau­then­tic per­sonas. We have observed no evi­dence that these social media plat­forms were them­selves in any way com­pro­mised, and instead believe account cre­den­tials were obtained using the com­pro­mised email accounts of tar­get­ed individuals.

Recent­ly obtained tech­ni­cal evi­dence now allows us to assess with high con­fi­dence that UNC1151, a sus­pect­ed state-spon­sored cyber espi­onage actor that engages in cre­den­tial har­vest­ing and mal­ware cam­paigns, con­ducts at least some com­po­nents of Ghost­writer influ­ence activity.

Read the full report here.

UNC1151, the cyberes­pi­onage group tracked by Fire Eye, has not yet been linked to any known influ­ence actor, but the influ­ence oper­a­tion aligns with Russ­ian inter­ests. Accord­ing to US cyber­se­cu­ri­ty media, UNC1151 has been run­ning oper­a­tions aimed at cre­den­tial har­vest­ing and mal­ware deliv­ery through spear-phish­ing attacks. The cre­den­tials steal­ing attacks tar­get­ed gov­ern­ment, mil­i­tary, and media orga­ni­za­tions in Poland, Ukraine, and Baltic coun­tries, but the group was also observed attempt­ing to com­pro­mise the accounts of oth­er enti­ties of inter­est, includ­ing jour­nal­ists and activists.

Rus­sia is a pro­lif­ic actor in the influ­ence oper­a­tions space. It is par­tic­u­lar­ly well known for its attempts to inter­fere in the elec­tions of demo­c­ra­t­ic coun­tries, par­tic­u­lar­ly in the Unit­ed States. Most of its influ­ence oper­a­tions appear to be con­duct­ed via cyber activities.

In April, we report­ed about a NATO study assess­ing Lithuania’s coun­ter­mea­sures direct­ed at Russ­ian disinformation