State-sponsored GhostWriter APT Emphasizes on Disinformation

It is not uncommon for Advanced Persistent Threat (APT) groups to be serving a specific party's political interest. While many of these organizations tend to be financially-motivated, there are also groups like GhostWriter whose specialization is discrediting political opposition, spreading fake information, and causing political disruption. The GhostWriter hackers' first campaigns can be traced back to 2017, but the group's activity really picked up pace around 2020 when their name was associated with dozens of attacks against officials in Poland, Latvia, and Lithuania.  

What is the GhostWriter APT Modus Operandi?

The criminals behind this group are relying heavily on using phishing and malware in order to obtain sensitive login credentials from their victims. The peculiar part is thy type of accounts they are targeting – mostly related to Content Management Systems. By compromising the social media accounts of politicians and high-ranking officials, the criminals are able to abuse their accounts to spread content that serves GhostWriter's political interests.

Instead of uploading brand new content to compromised Content Management Systems, the GhostWriter hackers were often observed to manipulate previous content in order to insert fake documents, false quotes, or made-up correspondence.

The group is believed to have close ties to Russia, but their most likely country of origin is Belarus. A common theme among statements that GhostWriter hackers release via compromised accounts is the North Atlantic Treaty Organization (NATO) and, unsurprisingly, they aim to discredit the organization's mission and credentials in the affected regions.

Another hint of GhostWriter's ties to Russia is their most recent campaign, which has been active since February 2022. This time, the Russia-backed hackers are targeting Ukrainian military officials via phishing emails.