'Ghostwriter' Disinformation Campaign Targets NATO AlliesFireEye: Effort Leverages Compromised Social Media Accounts
An ongoing disinformation campaign dubbed "Ghostwriter," which leverages compromised social media accounts, is targeting several NATO member countries in Europe, attempting to undermine confidence in the defensive organization as well as spread discord in Eastern Europe, according to the security firm FireEye.
Researchers at FireEye, who uncovered the campaign in July 2020, have now documented an additional 20 incidents related to the cyber operation, including at least one earlier this year, the report notes.
The Ghostwriter campaign is primarily aimed at citizens of Poland, Lithuania and Latvia, researchers report. The operation is mainly designed to undermine confidence in NATO operations in Eastern Europe as well as generate opposition to the deployment of soldiers from other countries, including the U.S. and Canada, FireEye says.
The disinformation campaign has spread to parts of Western Europe, including Germany, where reports surfaced in local news media in March about spear-phishing attacks that targeted members of that country's Parliament (see: German Parliament Sustains Another Attack).
The group behind the campaign uses website compromises, spoofed emails and social media posts from "inauthentic personas," according to the report. Those behind the campaign have also deployed phishing emails laced with malware in an attempt to harvest credentials.
"Certainly anti-U.S. narratives are getting mixed up in this, but the campaign itself is very much focused on undermining perceptions of the U.S. and NATO in these local communities, specifically Eastern European countries," says Lee Foster, FireEye's senior manager for information operations analysis. "Just because it's local right now in Eastern Europe does not mean that we should not be concerned by it because these types of tactics are readily deployable elsewhere. So it's always possible that this actor or perhaps another will seek to use the same type of tactics in Western European countries or even in the U.S."
Who's Behind the Campaign?
The FireEye researchers attribute at least part of this campaign to an attack group that has not been previously documented; they label the group as UNC1151.
"We now also assess with high confidence that UNC1151, a suspected state-sponsored cyberespionage actor that engages in credential harvesting and malware campaigns, conducts at least some components of Ghostwriter activity," according to the report.
Foster says that it appears that UNC1151 has been in operation since at least 2017.
The FireEye report notes that it has not tied UNC1151 to a particular nation-state. And it says that another attack group may be involved in some aspects of this particular influence operation.
"You could have a kind of technical group that's conducting intrusion operations, and at the same time there's another entity that believes a good use of these attacks is standing up fake social media profiles or altering blogs to publish a certain kind of narrative," Foster says.
Use of Social Media
The FireEye report says the group behind the campaign likely stole credentials for Facebook and Twitter accounts so they could use the accounts to send disinformation posts.
For example, several accounts belonging to politicians in Poland were taken over between October 2020 and January and then used in an attempt to discredit the country's government.
"The incidents also touched on some consistent themes: two involved the dissemination of compromising photos of officials and people with whom they are associated, two falsely implicated the respective officials as criticizing female activists and one falsely claimed that an official wanted to renounce her affiliation with the [Law and Justice] party," according to the report.
In October 2020, the FireEye researchers found fake news articles - written in both English and Polish - that pushed a narrative that NATO was preparing for a war with Russia and that Poland, Latvia and Lithuania would become battlegrounds.
"In addition to spreading this narrative via a fabricated article published to multiple websites, including sites used in previous Ghostwriter operations, links to that article were also disseminated via posts by multiple compromised social media accounts belonging to Polish officials," the researchers note. "We observed overlaps between this operation and some of the Polish social media compromises."
Dirk Schrader, global vice president for security research at New Net Technologies, says this type of disinformation campaign can sow doubts about the motives of various governments and institutions.
"The vector used by UNC1151 is particularly insidious, as they are trying to exploit accounts of trusted sources to spread that different narrative," Schrader says. "The really bad part of this approach is that - even if some of those account takeovers are discovered and the story about them being compromised is told - one question remains in the public. That question is: What is the truth?"