A cyber-enabled influence effort codenamed Ghostwriter was discovered in July 2020. Poland, Lithuania, and Latvia were the main targets. The campaign, however, has been linked to an unclassified threat actor, according to some developments cited by researchers.
Significant Discoveries
- Five new Ghostwriter-related initiatives have been developed in both English and Polish between October 2020 and January 2021.
- Compromised Facebook, Twitter, and Instagram accounts of Polish politicians were used in the operations.
- The actions were aimed at bringing the ruling political coalition to its knees.
Trends in Operation
The below incidents had common patterns –
- Two of them circulated incriminating images of authorities and persons connected to them.
- Two spread accusations that their respective officials were denigrating female campaigners.
- One spread the word that a PiS official wanted to sever her ties with the party.
Acknowledgment
- Several emails, artifacts, and documents associated to the threat actor were utilized in the Ghostwriter campaign, which has been linked to UNC1151.
- At least 13 emails sent by UNC1151 to various European and American media outlets matched the plots, chronology, and content of past Ghostwriter operations.
- According to technical evidence, the threat group hacked into the email accounts of Polish authorities around the same time they were used in the Ghostwriter attack.
UNC1151 is primarily active in credential harvesting and malware delivery via spear-phishing assaults and has not been linked to any known threat actor. The extension of the Ghostwriter campaign’s narratives and tactics, techniques, and procedures (TTPs) implies that this threat actor is responsible for at least some of the campaign’s activities. Despite this, researchers were unable to definitively link Ghostwriter to UNC1151 due to present information gaps.
To read more, please check eScan Blog
