The Ghostwriter misinformation campaign was first revealed in July 2020, when Russian threat actors were blamed. Since October 2020, the campaign has extended with additional tales, first targeting audiences in Lithuania, Latvia, and Poland with NATO-related topics.
Mandiant’s analysts made a link between the threat actor behind Ghostwriter, which has been identified as UNC1151, and the Belarusian government in a study released Tuesday, claiming that Belarus is at least partially responsible for the effort. The company said that it couldn’t rule out the possibility of Russian involvement. However, they haven’t found any direct proof of such contributions at this time.
UNC1151 has primarily targeted government and corporate entities in Germany, Lithuania, Latvia, Poland, and Ukraine. The opponent has also targeted Belarusian dissidents, journalists, and media outlets. In the year leading up to the country’s 2020 elections, the threat actor targeted Belarusian entities, with some persons eventually detained by the Belarusian authorities. Some targets, on the other hand, had no evident ties to Belarus.
According to Mandiant’s experts, evidence shows that UNC1151’s operators are based in Minsk, Belarus, and may be related to the Belarusian military. They further point out that the group’s operations are unrelated to recognized Russian threat actors.
Ghostwriter storylines have been linked with Belarusian goals since mid-2020, according to Mandiant analysts, and some of them, mainly those critical of neighboring nations, have been aired on official Belarusian media as reality. The source of written text involved in the Ghostwriter activities and the malware used by UNC1151 has yet to be determined by security experts.
The people who support these functions are likely part of the same organization identified as having a nexus to Belarus; however, the uncertainty and different skill sets required for various aspects of this activity make it possible for other organizations or countries to get involved, according to Mandiant.