Security researchers have linked the notorious state-sponsored Ghostwriter cyber-espionage and disinformation operation to Belarus for the first time.
An extensive report published yesterday noted threat intelligence and forensics firm Mandiant linked the UNC1151 group with “high confidence” to the Belarusian government. It has been said in the past that UNC1151 provides “technical support” to Ghostwriter.
“This assessment, along with observed Ghostwriter narratives consistent with Belarusian government interests, causes us to assess with moderate confidence that Belarus is also likely at least partially responsible for the Ghostwriter campaign,” the report claimed.
“We cannot rule out Russian contributions to either UNC1151 or Ghostwriter. However, at this time, we have not uncovered direct evidence of such contributions.”
It was thought previously that Ghostwriter was a Russian-sponsored entity. However, joint collaboration on the long-running campaign is possible, given the two countries’ shared goals and close ties, Mandiant said.
The Ghostwriter group had focused its efforts up until 2020 on anti-NATO narratives designed to strain ties between Lithuania, Latvia and Poland. Mandiant said 22 out of the 24 disinformation campaigns it observed fell into this category — including false allegations of the deployment of nuclear weapons, NATO troops spreading COVID-19, and crimes committed by NATO troops.
“The seeming intended effect of these narratives – to erode regional support for NATO – can serve both Russian and Belarusian interests. We note, however, that the campaign has specifically targeted audiences in countries bordering Belarus, whereas Russia has long promoted anti-NATO narratives both in the region and further afield,” the report claimed.
“Specifically, observed Ghostwriter operations, in this time period and through the present, have almost completely excluded Estonia, which notably does not border Belarus but is a Baltic State, NATO member and a relevant component of any concerns about NATO’s security posture on its eastern flank.”
Since August 2020, Ghostwriter has become more obviously aligned to the goals of the Belarus government and its autocratic President Alexander Lukashenko.
These include spreading disinformation about scandals within the ruling parties in Lithuania and Poland and efforts to discredit the Belarusian opposition.
Articles published by Ghostwriter personas in August last year attempted to portray widespread popular protests at the regime as NATO or US-orchestrated in an attempt to de-legitimize them.
Mandiant also claimed that Ghostwriter narratives, especially those critical of neighboring governments, have been featured on Belarusian state television as fact.
It referred to “sensitive technical information,” which locates the UNC1151 operation in Minsk, the Belarusian capital, and links it to the country’s military. These connections have reportedly been confirmed by “separate sources.”
In September, the EU criticized Russia for ongoing attempts by Ghostwriter to steal information and spread disinformation. The group had targeted German politicians in the run-up to the country’s recent elections.