The Belarusian government has been accused of at least "partial responsibility" for Ghostwriter attacks in Europe.
While cybersecurity companies often err on the side of caution when it comes to the attribution of threat groups, Mandiant says that it has "high confidence" that Ghostwriter, also linked to UNC115 activities, is a cybercriminal outfit potentially working on behalf of the country's government.
Sanctions were placed on Belarus earlier this year after the forced diversion of a commercial plane into Belarus airspace to arrest a passenger, a dissident journalist called Roman Protasevich. Now, in retaliation, the country's President Alexander Lukashenko has been accused of engineering a migrant crisis to destabilize the EU.
However, it seems that retribution may go further, with the attribution of Ghostwriter to the ruling government.
The European Council has previously accused Russia of Ghostwriter involvement.
According to the cybersecurity researchers, Russian interference cannot be "ruled out," but other indicators suggest that Belarusian interests are at the heart of the operation, in which government and private sector entities in Ukraine, Lithuania, Latvia, Poland, and Germany are commonly targeted.
In addition, Ghostwriter has also been involved in attacks against Belarusian dissidents, media, and individual journalists.
UNC1151 -- active since 2016 -- and Ghostwriter once focused on promoting anti-NATO material through phishing, spoofing, and hijacking vulnerable websites. However, from 2020, the groups expanded their operations in attempts to influence Polish politics and to steal sensitive information via credential theft.
UNC1151 also targeted Belarusian media outlets and opposition members ahead of the 2020 election, a disputed landslide win. No attacks have been recorded against Russian or Belarus state entities.
"Additionally, in several cases, individuals targeted by UNC1151 before the 2020 Belarusian election were later arrested by the Belarusian government," Mandiant says.
Many of Ghostwriter's campaigns are focused on narratives that are anti-NATO. Since mid-2020, the group has spread content accusing NATO of corruption, the military of spreading COVID-19, and of corruption in Lithuanian and Polish politics. The EU has also been criticized in recent campaigns.
"Ghostwriter narratives, particularly those critical of neighboring governments, have been featured on Belarusian state television as fact," the researchers added. "We are unable to ascertain whether this is part of a coordinated strategy or if it is simply Belarusian state TV promoting narratives that are consistent with regime interest and being unconcerned with accuracy."
Previous and related coverage
- FireEye's Mandiant debuts new SaaS threat intelligence suite
- No honor among thieves: One in five targets of FIN12 hacking group is in healthcare
- T-Mobile CEO apologizes for massive hack, announces cybersecurity deal with Mandiant
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0