Ghostwriter 👻 APT

Threat Intelligence researchers believe that the Ghostwriter disinformation campaign (aka UNC1151) was linked to the government of Belarus. The campaign tracked as GhostWriter, has been ongoing since at least March 2017 and is aligned with Russian security interests. GhostWriter doesn’t spread through social networks, instead, threat actors behind this campaign abused compromised content management systems (CMS) of news websites or spoofed email accounts to disseminate fake news.

The attackers used to replace existing legitimate articles on the sites with fake content, instead of creating new posts spreading fabricated content, including falsified news articles, quotes, correspondence, and other documents designed to appear as coming from military officials and political figures in the target countries.

Ghostwriter operators focused on spreading fabricated quotes, such as a quote falsely attributed to the commander of the NATO eFP Battle Group that was used to push a narrative that 21 Canadian soldiers stationed in Latvia had been infected with COVID-19.

Another piece of fabricated content was a letter presented as to be authored by NATO Secretary General Jens Stoltenberg, which was written to bolster a narrative suggesting that the Atlantic alliance was planning to withdraw from Lithuania in response to the COVID-19 pandemic

In August 2020, the Ghostwriter campaign spread articles claiming that the protests in Belarus were orchestrated by the U.S. and NATO. Since the August 2020 elections, 16 out of 19 Ghostwriter operations promoted narratives defaming the Polish and Lithuanian governments.

The operators behind Ghostwriter targeted Belarusian entities before the 2020 elections, some of the individuals targeted by the nation-state actor were later arrested by the Belarusian government.

Sensitive technical information gathered by the researchers suggests the threat actors were operating from Minsk, Belarus under the control of the Belarusian Military.

Experts investigated the possible involvement of Russian APTs in Ghostwriter operations, but despite a high level TTP overlaps with Russian operations, the researchers have not found direct evidence of Russian government involvement.

MITRE ATT&CK

• T1566 – Phishing, 
• T1003 – OS Credential Dumping, 
• T1036 – Masquerading, 
• T1113 – Screen Capture, 
• T1106 – Native API, 
• T1119 – Automated Collection, 
• T1078 – Valid Accounts, 
• T1189 – Drive-by Compromise, 
• T1056 – Input Capture, 
• T1059 – Command and Scripting Interpreter, 
• T1071 – Application Layer Protocol, 
• T1105 – Ingress Tool Transfer, 
• T1140 – Deobfuscate/Decode Files or Information, 
• T1218 – Signed Binary Proxy Execution,
•  T1547 – Boot or Logon Autostart Execution, 
• T1559 – Inter-Process Communication