A campaign Ghostwriter is believed to be the work of a state-sponsored cyber espionage group,The campaign aligns with Russian interests and was initially observed targeting audiences in Lithuania, Latvia, and Poland with NATO-related themes.

The activity has expanded with new narratives, and the attackers started leveraging compromised Twitter, Facebook, and Instagram accounts of Polish officials to disseminate content aimed at creating domestic political disruption in the country.

Ghostwriter operation that did fall in line with previously observed activity promoted for several days in October 2020 content suggesting that NATO was getting its military ready for a war with Russia, and that the battle would take place in Poland, Latvia, and Lithuania. The narrative was promoted via a fabricated article published on several websites, but compromised social media accounts of Polish officials were also used to disseminate the story.

The group tracked by FireEye as UNC1151, which has not been linked to any known threat actor, has been running operations aimed at credential harvesting and malware delivery HALFSHELL through spear phishing attacks

The credentials stealing attacks targeted government, military, and media organizations in Poland, Ukraine, and Baltic countries, but the group was also observed attempting to compromise the accounts of other entities of interest, including journalists and activists.