430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

APT

Mandiant links Ghostwriter operations to Belarus

Security researchers at the Mandiant Threat Intelligence team believe that Ghostwriter APT group is linked to the government of Belarus. Mandiant Threat Intelligence researchers believe that the Ghostwriter disinformation campaign (aka UNC1151) was linked to the government of Belarus. In August 2020, security experts from FireEye uncovered a disinformation campaign aimed at discrediting NATO by […]

Ghostwriter

Security researchers at the Mandiant Threat Intelligence team believe that Ghostwriter APT group is linked to the government of Belarus.

Mandiant Threat Intelligence researchers believe that the Ghostwriter disinformation campaign (aka UNC1151) was linked to the government of Belarus.

In August 2020, security experts from FireEye uncovered a disinformation campaign aimed at discrediting NATO by spreading fake news content on compromised news websites.

According to FireEye, the campaign tracked as GhostWriter, has been ongoing since at least March 2017 and is aligned with Russian security interests.

Unlike other disinformation campaigns, GhostWriter doesn’t spread through social networks, instead, threat actors behind this campaign abused compromised content management systems (CMS) of news websites or spoofed email accounts to disseminate fake news.

The attackers used to replace existing legitimate articles on the sites with fake content, instead of creating new posts.

The attackers were spreading fabricated content, including falsified news articles, quotes, correspondence, and other documents designed to appear as coming from military officials and political figures in the target countries.

According to the experts, the campaign primarily targeted audiences in specific states members of the alliance, including Lithuania, Latvia, and Poland.

Ghostwriter operators focused on spreading fabricated quotes, such as a quote falsely attributed to the commander of the NATO eFP Battle Group that was used to push a narrative that 21 Canadian soldiers stationed in Latvia had been infected with COVID-19.

Another piece of fabricated content was a letter presented as to be authored by NATO Secretary General Jens Stoltenberg, which was written to bolster a narrative suggesting that the Atlantic alliance was planning to withdraw from Lithuania in response to the COVID-19 pandemic

According to a report published this week by Mandiant, Belarus was involved in the campaigns tracked as GhostWriter.

“Mandiant Threat Intelligence assesses with high confidence that UNC1151 is linked to the Belarusian government.” reads the report published by Mandiant. “In April 2021, we released a public report detailing our high-confidence assessment that UNC1151 provides technical support to the Ghostwriter information operations campaign; this assessment, along with observed Ghostwriter narratives consistent with Belarusian government interests, causes us to assess with moderate confidence that Belarus is also likely at least partially responsible for the Ghostwriter campaign. We cannot rule out Russian contributions to either UNC1151 or Ghostwriter. “

In August 2020, the Ghostwriter campaign spread articles claiming that the protests in Belarus were orchestrated by the U.S. and NATO. Since the August 2020 elections, 16 out of 19 Ghostwriter operations promoted narratives defaming the Polish and Lithuanian governments.

The operators behind Ghostwriter targeted Belarusian entities before the 2020 elections, some of the individuals (representatives of the Belarusian opposition) targeted by the nation-state actor were later arrested by the Belarusian government.

Sensitive technical information gathered by the researchers suggests the threat actors were operating from Minsk, Belarus under the control of the Belarusian Military.

Mandiant investigated the possible involvement of Russian APTs in Ghostwriter operations, but despite a high level TTP overlaps with Russian operations, the researchers have not found direct evidence of Russian government involvement.

“Mandiant assesses with high confidence that Ghostwriter information operations are conducted in support of the Belarusian government and with moderate confidence that they are conducted with Belarusian sponsorship.” Mandiant concludes.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT)

[adrotate banner=”5″]

[adrotate banner=”13″]