Social media companies have started to become more efficient at recognizing and taking down fake accounts designed to spread fake news and propaganda. But operators of traditional media websites and other digital platforms that regularly publish vital news information to the public may also want to train themselves be on the lookout for disinformation secretly implanted on their sites via web server compromises.

Indeed, a new report from FireEye details an apparent foreign influence operation targeting Central and Eastern European news sites, whereby malicious actors have been adding fake content to the sites in some cases completely replacing a genuine story with a fake one.

Dubbed Ghostwriter, the operation has been active since at least March 2017 and has produced fake content that spreads anti-NATO sentiments and aligns with the goals and interests of Russia, according to a new blog post and research report from FireEye’s Mandiant Threat Intelligence team, which in part cites intelligence and documentation gleaned from foreign governments and news sources. Mandiant says it believes “with moderate confidence” that Ghostwriter is an element of a “broader influence campaign.”

Ghostwriter has primarily targeted Poland and the Baltic nation-states of Lithuania and Latvia, not only leveraging the aforementioned compromised websites, but also using spoofed email accounts to directly email fake news to targets such as news organizations and government and NATO officials, FireEye reports. Several fake news articles were focused on Covid-19 — suggesting that NATO was pulling out of Lithuania due to the pandemic, or blaming U.S and NATO forces in Europe for contributing to the spread of the Covid-19 virus.

A similar fake news plot could conceivably be launched against U.S. and Western media organizations as well. “…[W]e caution that the same tactics employed in the Ghostwriter campaign can be readily repurposed and used against other target geographies,” FireEye warns in its report. “Given the established history of cyber threat and information operations tactics regularly migrating from targeting Eastern Europe to targeting Western Europe and the U.S., this campaign may warrant special attention, especially as elections near.”

Website administrators typically know to look out for defacements or drive-by malware or skimmers implanted in their code. But the idea of someone secretly taking over a website to publish fake content is a bit of a foreign concept.

Still, the results could be very damaging. In July 2017, a Washington Post report citing U.S. intelligence officials said that the United Arab Emirates may have been behind the compromise of a Qatari government news site’s systems, resulting in the publishing of a false report containing fabricated inflammatory statements supposedly from Qatar’s emir. The incident appeared to exacerbate a diplomatic crisis between Qatar and other Middle Eastern nations.

Media organizations that seek to shield themselves from such dangerous disinformation campaigns may wish to start by looking at the content management systems that journalists interact with to publish their stories. FireEye believes that the CMS may have been Operation Ghostwriter’s attack vector of choice.

“It’s not clear how changes were made without notice,” noted John Hultquist, senior director of analysis with FireEye’s Mandiant Threat Intelligence division. Regardless, “Credentials for CMS systems should be treated as very sensitive and whenever possible multifactor should be used. Furthermore, notifications might have helped prevent some of this activity.”

“Website content management system vulnerabilities are commonplace and easily exploited…” said Mallory Knodel, CTO at the Center for Democracy and Technology (CDT). “Strong and secure websites protect against this by making only cached versions of the website available to users through content delivery networks, and some might go so far as to ensure that the back end, the site’s CMS, [isn’t] exposed on the internet at all, and that version control for static page content, like the content of a news story, is closely monitored.”

“Strong authentication for anyone with back-end access is a must, and this can be done through the use of strong passwords, second-factor authentication, and limiting access to those on a virtual private network,” Knodel continued.

Tony Lauro, director of security strategy at Akamai, said CMSs may be even easier to compromise if attackers can leverage security weaknesses created by pandemic-related remote working conditions.

“If an attacker can gain access to [the] CMS platform, either by taking over the remote employee’s workstation or by otherwise phishing their login credentials, as you’d imagine, they’d have the keys to the kingdom,” said Lauro.

Therefore, “Giving the ability for your remote workforce to connect back into those important corporate assets without also bringing the added risk of unseen network traffic which VPNs often provide while they connect external users to internal applications is of high value,” Lauro continued. “Organizations should look into zero trust-related technologies for remote access so that when employees connect to internal content management systems to upload media, they are not connecting to any additional network resources. This is done by way of a proxied connection between the inside resources and outside users.”

Another risk, said Lauro, are third- and fourth-party scripts “that news outlets load as part of their everyday page load for functions like user performance monitoring, ads, and SEO related optimizations. If these scripts were to be compromised, they would then be loaded into the browser of any user who visits their page,” and “maybe even load a fake article just to the users themselves so the news outlet may not even know they are playing host to serving this fake content.”

To amend this situation, Lauro recommends injecting what he terms “good JavaScript code” programmed to watch over high-value page loads and detect any abnormal activity caused by any that follows it as it loads into a page visitor’ browser.

Mostly written in English, the fake Ghostwriter articles contain the bylines of imaginary personas, and sometimes include manufactured documents or fake quotes from real military officials and politicians. Although posting the stories on a credible site is perhaps most convincing tactic, the actors have also reportedly posted content on various third-party publishing sites and several of its their own blog sites that they established.

Additional controversial article content included regional NATO military exercises, “general attempts to discredit the U.S. and NATO, and strategic discussion favoring Russia over other world powers,” FireEye reports.

“It appears, based on the limited public information available regarding the website compromises we have tied to Ghostwriter, that the actors behind the campaign are relatively well-resourced, either directly possessing traditional cyber threat capabilities themselves or having ready access to operational support from others who do,” the FireEye report concludes, noting that the operation could be one main actor or “overlapping actors or groups that are also behind other influence campaigns.”

Nevertheless, Knodel from the CDT is keeping this threat in perspective: “It’s my view that U.S. news and media websites themselves are not at great risk for these compromises,” she said. “That said, I think the U.S. media landscape is diverse and should remain diverse, and so focusing messaging about these risks to journalists and platforms that aren’t mainstream news and media websites is still very important.”

“The biggest risk,” she noted, “could very well be that people will be less likely to trust non-mainstream publications in a climate of panic over disinformation.”