At least four years, hacking and disinformation group known has Ghostwriter has plagued countries in Eastern Europe and the Baltics. Given its methods – and its anti-NATO and anti-American messages – the widespread assumption has been that Ghostwriter is yet another Kremlin-led campaign. The European Union even declared in late September that some member states have “associated” Ghostwriter “with the Russian state.” As it turns out, this is not entirely true. According to the threat intelligence company Mandiant, Ghostwriters hackers work for Belarus.
Mandiant first took a closer look at Ghostwriter in July 2020. At the time, the group was primarily known for creating and distributing fake news articles and even hacking real news sites to post misleading content. In April 2021, Mandiant attributed a broader activity to Ghostwriter, including operations to compromise government officials’ social media accounts to spread misinformation and efforts to target politicians with hacking and leaks. The group has long focused on undermining NATO’s role in Eastern Europe and has increasingly turned to inciting political divides or instability in Poland, Ukraine, Lithuania, Latvia and Germany.
At the Cyberwarcon conference in Washington, DC on Tuesday, Mandiant analysts Ben Read and Gabby Roncone will present evidence of Ghostwriter’s ties to Belarus.
“The activity-theft activity targeting Eastern Europe and anti-NATO information operations were both in line with what we have seen Russia do in the past,” Read told WIRED ahead of the conference. Despite these well-known tactics, techniques, and procedures, Mandiant did not attribute Moscow at the time because they had not seen specific digital links.
Following Belarus’ controversial election in August 2020, longtime President Alexander Lukashenko retained power amid accusations that opposition leader Sviatlana Tsikhanouskaya had in fact won. The United States condemned the election, and many of Belarus’s neighbors, including Poland, made it clear that they supported the Belarusian opposition. During this time, Mandiant observed a remarkable change in Ghostwriter’s campaigns.
“We saw a shift to much more focus on Belarus-specific issues – targeting Belarusian dissidents, Belarusians in the media, things that really look like they were done in support of the Belarusian government,” Read said. “And then we also came across technical details that make us believe that the operators are located in Minsk and some others that suggest the Belarusian military. That brings us to the point now that we are sure to say that Ghostwriter has a link to Belarus. “
Shane Huntley, who heads Google’s Threat Analysis Group, says the Mandiant research fits in with TAG’s own findings. “Their report is consistent with what we have observed,” he told WIRED.
As the group’s activity increasingly suggested a specific Belarusian agenda over the summer, Mandiant worked to find out who was actually behind the campaigns. Since last year’s election, 16 out of 19 Ghostwriter disinformation operations have focused on stories that demean Lithuanian and Polish governments’ neighbors to Belarus. Two focused negatively on NATO and one criticized the EU.
A Ghostwriter operation in August focusing on Poland and Lithuania accelerated a false narrative accusing migrants of committing crimes. Long-standing tensions between Poland and Belarus have escalated dramatically in recent weeks with the border as a hotspot. Other recent operations have claimed accidents at Lithuania’s nuclear power plants, perhaps because Lithuania has long opposed the close proximity of Belarus’s Astravyet nuclear power plant. State television in Belarus has captured Ghostwriter misinformation stories and repeated them, though it is unclear whether this was the result of specific coordination or simply part of a general feedback loop of Belarusian pro-government propaganda. Read also points out that Ghostwriter has not focused on Estonia – the one Baltic state that does not border Belarus.