Threat Management, Threat Intelligence, Phishing

Mandiant researchers tie elements of ‘Ghostwriter’ influence campaign to Belarus

Supporters of the Belarusian opposition leader Sviatlana Tsikhanouskaya attend a protest against regime of the Alexander Lukashenko on June 07, 2021 in Prague, Czech Republic. New research from Mandiant tracks the way Belarusian political opposition to Lukashenko were increasingly targeted by the Ghostwriter influence campaign. (Photo by Gabriel K...

Security researchers are tying the hacking group behind a global influence campaign targeting governments, politicians, members of the press and human rights activists to Belarus.

Ghostwriter is the name given for a wide-ranging influence campaign that utilized both hacking and influence operations to target at least 30 countries over the past five years. The name is derived from its use of inauthentic personas that pose as locals, journalists, and analysts within target countries in order to post fake articles, op-eds, quotes, correspondence and other documents designed to appear as if they were coming from military officials and political figures in the target countries.

The attribution was made Tuesday by researchers at threat intelligence firm Mandiant, who assessed with “high confidence” that the group “UNC1151” (the name they’ve given for the hacking cluster) has numerous technical and geopolitical indicators that trace back to the Belarusian government.

Among the new findings: except for major American tech companies like Facebook, Google and Twitter, many of the domains used by the group to spoof legitimate websites and steal credentials appear to target five countries — Ukraine, Lithuania, Poland, Latvia and Germany — that neighbor the eastern European state and align with the interests of the Belarusian government. Additionally, the campaign targeted a number of individuals associated with Belarus’ political opposition, but there’s no evidence that they did the same to the Belarusian government.

That conclusion “along with observed Ghostwriter narratives consistent with Belarusian government interests, causes us to assess with moderate confidence that Belarus is also likely at least partially responsible for the Ghostwriter campaign,” said the report.

Despite the new research, there are still unanswered questions about the scope and sponsorship of UNC1151, the group behind Ghostwriter.

The findings by Mandiant contrast with a statement put out by the European Union in September, which claimed that “some EU member states” were attributing the campaign to Russia. Mandiant’s new research doesn’t shut the door on that possibility but refrains from reaching the same conclusion.

“We cannot rule out Russian contributions to either UNC1151 or Ghostwriter. However, at this time, we have not uncovered direct evidence of such contributions,” the researchers wrote.

Ben Read, director of cyber espionage-analysis at Mandiant and one of the authors of the new report, told SC Media that the company has strong technical evidence linking UNC1151 to Belarus but they lack the same kind of data that can conclusively tie specific Ghostwriter operations to the nation.

Further complicating the picture, the shift to targeting Belarusian neighbors and political opposition, while noticeable, is relatively recent. Until mid-2020, the group was more known for pushing anti-NATO narratives, and previous research from Mandiant released when they were under the FireEye brand claimed that the campaign appeared to align with Russian state interests, though it pointedly declined to attribute it to a particular government.

“Since the disputed August 2020 elections in Belarus, Ghostwriter operations have been more distinctly aligned with Minsk’s interests. Promoted narratives have focused on alleging corruption or scandal within the ruling parties in Lithuania and Poland, attempting to create tensions in Polish-Lithuanian relations, and discrediting the Belarusian opposition,” the report notes.

On top of that, Mandiant notes that a small subset of activity that can be tied to Ghostwriter does not target the five countries and its individuals or carry a clear connection to Belarusian political interests.

Read said the technical evidence tying UNC1151’s tooling and DNS infrastructure and SLL certificate overlaps with Ghostwriter activity is to this point well documented by Mandiant and other research firms. He also cited additional technical evidence (that Mandiant is withholding) which claims to place UNC1151 operators in Minsk, the Belarusian capital.

Given the close political ties between the Belarusian government led by authoritarian Alexander Lukashenko and Russia, Read said it is possible the other activities could indicate a joint operation by the two countries, but the language Mandiant used was chosen to reflect and grapple with some of the lingering uncertainty that still shrouds parts of the campaign.

“The reason this is more political is because it’s really about attributing this stuff to a sponsor: who benefits from this, who is this conducted on behalf of, and that’s where we bring in the parochial interests, the targeting … trying to look at the infrastructure these countries have," said Read.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.