Ukraine security agencies warn of Ghostwriter threat activity, phishing campaigns

CERT-UA warns of misinformation, phishing, and active assaults against Ukrainian organizations.
Written by Charlie Osborne, Contributing Writer

The Computer Emergency Response Team for Ukraine (CERT-UA) has warned of ongoing phishing and Ghostwriter activities attacking organizations in the country. 

On February 26, CERT-UA said it continues to track the movements of UNC1151/Ghostwriter, which is currently attacking targets in Ukraine, Poland, Belarus, and Russia. 

Ghostwriter is believed to be of Belarusian origin. According to the security agency, its members are officers of the Ministry of Defence of the Republic of Belarus. 

Cybersecurity firm Mandiant has been tracking campaigns supported by UNC1151. In particular, the company says that "technical support" is provided to Ghostwriter campaigns and the Belarus government has been accused of being at least "partially responsible" for the activities of these cyberattackers. 

The European Council has previously accused Russia of having a part to play in Ghostwriter campaigns. 

Ghostwriter is said to align with Belarus state interests. Past activities have included promoting anti-NATO material through misinformation networks, spoofing, and website hijacking, as well as targeting Belarusian media outlets and individuals prior to the 2020 election. 

"Ghostwriter narratives, particularly those critical of neighboring governments, have been featured on Belarusian state television as fact," Mandiant says. 

According to CERT-UA, Ghostwriter cyberattacks have been recorded against the World Association of Belarusians, Belarusian Music Festival, literature and arts magazine Dziejaslou, Belarusian newspaper Sovetskaya Belorussiya, employees of the National Academy of Sciences of Belarus, and the Voice of Motherland newspaper. 

In addition, the agency warns that passport[.]command-email.online is an active phishing domain being used by the threat group.

CERT-UA has been publishing frequent threat intelligence since the start of the Russia-Ukraine conflict. CERT-UA has also warned of mass phishing emails being sent by UNC1151 to "Ukrainian military personnel and related individuals" using email accounts with 'i.ua' and 'meta.ua' addresses. 

A sample phishing message is below:

"Dear user! Your contact information or not you are a spam bot. Please, click the link below and verify your contact information. Otherwise, your account will be irretrievably deleted. Thank you for your understanding. Regards, I.UA Team."

On Monday, the National Security and Defense Council of Ukraine (NSDC/RNBO) also reported calls and phishing attempts made to obtain information from targets by pretending to be the post office of the Security Service of Ukraine (SBU). 

The Cyber Police Department of the National Police of Ukraine reports that fake phishing emails are also being sent that are masked as evacuation notices. 

In related news, hacktivist collective Anonymous says it has become involved in the conflict, claiming that it is responsible for the defacement of Russian government websites and a takedown of the state news outlet RT. RT and other state-funded media organizations have since been banned from generating revenue through ads by Google's search and YouTube units. 

On February 28, the TASS Russian news outlet appeared to suffer from a cyberattack and visitors were temporarily unable to access the website. Anonymous, or someone claiming to be part of the collective, claimed responsibility. 

Meta, formerly known as Facebook, has restricted access to some accounts owned by Russian state media organizations. Meta's Head of Security Policy Nathaniel Gleicher and Director of Threat Disruption David Agranovich said on February 27 that a network operated by people in Russia -- and Ukraine -- was targeting Ukraine with fake news and propaganda. 

According to the firm, there has also been "increased targeting" of the Ukrainian military and public figures by Ghostwriter. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards