Cyber espionage group UNC1151 likely conducts Ghostwriter Influence Activity. According to researchers at Mandiant Threat Intelligence, an ongoing influence campaign called “Ghostwriter is being carried out. It primarily targets victims in Lithuania, Latvia, and Poland and promotes narratives critical of the North Atlantic Treaty Organization’s (NATO) presence in Eastern Europe.
What is Ghostwriter Influence Campaign?
The researcher believes many if not all of the incidents are part of the Ghostwriter campaign. It appears to leverage website compromises or spoofed email accounts to spread fabricated content. This includes fake news articles, quotes, correspondence, and other documents designed to appear as if they were sent by military officials and political figures in the targeted country.
The Ghostwriter campaign was identified in 2020 by the researchers also listed in an update on Ghostwriter. They have noticed the bad actors heavily leverage the compromised social media accounts of Polish officials on the political right to publish content with an intention to create domestic disruption in Poland rather than generate districts of NATO.
The Ghostwriter campaigns are carried out in Polish and English languages to compromise websites, spoofed emails, or posts from inauthentic sources. The researchers have not found any evidence of the social media platforms being compromised. They believe the account details were obtained using the compromised email accounts of targeted individuals.
Recent technical evidence hint, UNC1151, a suspected state-sponsored cyberespionage actor involved in credential harvesting and malware campaigns to be behind some of the ongoing Ghostwriter influence activity.
The researchers further clarified they cannot conclusively say UNC1151 is behind the Ghostwriter campaign. But the group has expanded its credentials stealing operations since 2021 to target German politicians.