A year ago FireEye produced a first report on the Ghostwriter group (and LSM also drew attention to its poorly-written activities) which primarily targets audiences in Lithuania, Latvia and Poland and promotes narratives critical of the NATO presence in Eastern Europe which seem to coincide cosily with the Kremlin line on pretty much everything.
The original report is available to read online and concluded that Ghostwriter was likely part of a "concerted and ongoing influence campaign".
Now the cyber-security experts have followed up on that initial investigation, noting a shift towards targeting Poland by the Ghostwriter group but also identifying "with high confidence that UNC1151, a suspected state-sponsored cyber espionage actor that engages in credential harvesting and malware campaigns, conducts at least some components of Ghostwriter influence activity."
Since the start of 2021, UNC1151 has also expanded its credential theft activity to target German politicians. This targeting has been publicly reported in the German Tagesschau.
The appendices of the report include an exhaustive table of incidents and operations currently associated with Ghostwriter activity, a detailed case study of a recent Ghostwriter operation, and indicators of compromise (IOCs) related to UNC1151.
Part of the report relates:
Another suspected Ghostwriter operation promoted a narrative between October 22-26, 2020, suggesting that NATO is preparing its military for a war with Russia, which would ostensibly take place in Poland, Latvia and Lithuania, a narrative consistent with those promoted in past Ghostwriter operations that appear intended to undermine NATO’s presence in—and security cooperation with— those three specific countries. In addition to spreading this narrative via a fabricated article published to multiple websites, including sites used in previous Ghostwriter operations, links to that article were also disseminated via posts by multiple compromised social media accounts belonging to Polish officials.
According to FireEye, UNC1151 intrusion activity has been active since at least 2017 and has included credential harvesting campaigns targeting European government and media entities as well as some attempts to distribute malware. "The group uses an extensive array of domains that mimic major and regional web services and host pages designed to trick a victim into entering their credentials," the report says.
However, while stating with some certainty that Ghostwriter/UNC1151 is "state sponsored", FireEye stops frustratingly short of naming the state in question, though three guesses would probably be two too many given that its main targets appear to be the Baltics, Poland, Ukraine and the Belarusian democratic opposition. In conclusion the report says:
We have since observed a seeming expansion of the narratives, targeting and TTPs associated with Ghostwriter activity and developed further intelligence that leads us to assess that the cyber espionage group UNC1151 conducts at least some components of Ghostwriter activity. We have also identified Ghostwriter influence activity extending back years before we formally identified the campaign in 2020. However, current intelligence gaps, including gaps pertaining to website compromises and the operation of false personas, do not allow us to conclusively attribute all aspects of the Ghostwriter campaign to UNC1151 at this time.
The new report is available to read in full here.