at least Four years, the well-known hacking and disinformation group Ghostwriter has plagued countries in Eastern Europe and the Baltic states. Given its tactics – and anti-NATO and anti-US messaging – the assumption has been that Ghostwriter is another Kremlin-led campaign. The European Union even announced at the end of September that some member states had “linked” Ghostwriter “with the Russian state”. As it turns out, this is not entirely true. According to threat intelligence firm Mandiant, the Ghostwriter hacker operates in Belarus.
Mandiant took a closer look at Ghostwriter for the first time in July 2020. The group at the time was primarily known for creating and distributing fake news articles and even hacking real news sites to spread misleading content. By April 2021, Mandiant attributed broader activity to Ghostwriter, including hacking of government officials’ social media accounts to spread disinformation and efforts to target politicians with hacking and leaks. The group has long focused on undermining NATO’s role in Eastern Europe, and has increasingly turned to fueling political divisions or instability in Poland, Ukraine, Lithuania, Latvia and Germany.
At the Cyberwarcon conference in Washington, D.C., on Tuesday, Mandiant analysts Ben Read and Gabby Roncone provide evidence of Ghostwriter’s ties to Belarus.
“The credential-stealing activity targeting Eastern Europe and anti-NATO information operations is in line with what we’ve seen Russia do in the past,” Reid told Wired before the conference. Despite those familiar tactics, techniques, and procedures, Mandiant did not withdraw to Moscow at the time, because they did not see specific digital connections.
After the controversial elections in Belarus in August 2020, President Alexander Lukashenko retained power amid accusations that opposition leader Svyatlana Tsykhanuskaya has already won. The elections were denounced by the United States, and many of Belarus’s neighbors, including Poland, made it clear that they supported the Belarusian opposition. During this time, Mandiant noticed a marked change in Ghostwriter’s campaigns.
“We’ve seen a shift to a much more focus on Belarus-specific issues — targeting Belarusian dissidents, Belarusians in the media, things that really look like they were done in support of the Belarusian government,” Reid said. “And then, we also found out technical details that make us believe that the operators are in Minsk and some others that allude to the Belarusian military. This brings us to the point where we are now confident in saying that Ghostwriter has a connection with Belarus.”
Shane Huntley, who leads the Threat Analysis Group at Google, says Mandiant’s search fits in with TAG’s own results. “Their report is consistent with what we’ve observed,” he told WIRED magazine.
As the group’s activity was increasingly hinting at a specifically Belarusian agenda over the summer, Mandiant worked to solve the problem of who was really behind the campaigns. Since last year’s election, 16 of Ghostwriter’s 19 disinformation operations have focused on narratives that disparage the Lithuanian and Polish governments, Belarus’ neighbors. Two focused negatively on NATO and the other criticized the European Union.
Operation Ghostwriter in August focused on Poland and Lithuania pushing a false narrative accusing migrants of crimes. Long-running tensions between Poland and Belarus have escalated dramatically in recent weeks with the border seen as a flashpoint. Other recent operations have claimed accidents at nuclear power plants in Lithuania, possibly because Lithuania had long opposed the proximity of the Astravyec nuclear plant in Belarus to its border. Belarusian state television picked up and repeated Ghostwriter’s misinformation accounts, although it is unclear whether this was the result of a specific format or just part of a general feedback loop of Belarusian pro-government propaganda. Reed also notes that Ghostwriter has not focused on Estonia – the only Baltic country that does not border Belarus.