Threat intelligence experts at Mandiant have tied the Belarus government to a large-scale disinformation campaign in Europe called Ghostwriter that others — including some European Union member states — have previously attributed to Russia’s foreign intelligence services group.
The report from Mandiant’s threat intelligence team is based on the security vendor’s observations of UNC1151, a threat group that it previously has identified as providing technical support to the Ghostwriter campaign. Mandiant’s analysis of artifacts related to UNC1151’s activities showed that several of the threat group’s operators are based in Minsk and likely operating on behalf of the Belarus government and potentially for the country’s military as well.
Recent Ghostwriter messaging also suggests the campaign is being conducted in support of the Belarusian government and likely being sponsored by it as well, the vendor said.
Mandiant has not ruled out a Russian connection to the campaign but said it had so far not found anything to corroborate that theory.
Ghostwriter is a cyber-enabled disinformation campaign that for at least four years has sought to undermine US and NATO interests in Eastern Europe through fake news articles and other messaging. Mandiant’s research shows that 22 out of 24 Ghostwriter operations prior to mid-2020 involved false narratives about the deployment of nuclear weapons in Eastern Europe, NATO troops spreading COVID-19, and war crimes by NATO troops.
In September 2021, officials from the German government and the Council of the European Union formally identified Russia as the sponsor of the Ghostwriter campaign following a series of cyberattacks that they determined were to influence the outcome of parliamentary elections in Germany.
But according to Mandiant, its analysis of UNC1151’s activities and other data suggests Belarus may be behind the influence campaign more so than Russia. Mandiant’s research on UNC1151 showed the threat group has been conducting cyber espionage against targets of particular interest to the Belarus government since at least 2017. This has included a wide variety of private and government organizations, particularly in five countries: Ukraine, Lithuania, Latvia, Poland, and Germany.
Many of UNC1151’s government targets have been ministries of defense, suggesting a strong military intelligence-gathering focus for the group. The threat actor has also targeted dissidents, media organizations, and journalists in Belarus, particularly in the run-up to the controversial presidential elections in the country in 2020. Several of those individuals were later arrested.
As part of its cyber-espionage operations, UNC1151 registered numerous credential theft domains that spoofed websites belonging to trusted companies, such as Facebook, Google, and Twitter. The threat actor also spoofed websites belonging to regional email providers, private business, and local and national government agencies in the five countries where it primarily focused its attention.
The Ghostwriter campaign’s focus too has been primarily Belarus-centric, especially since mid-2020, Mandiant’s analysis shows. After the disputed August 2020 elections, for instance, Ghostwriter campaigns promoted narratives seeking to discredit Belarusian opposition parties. Several operations promoted fake stories about corruption and scandal within government in Lithuania and Poland — ostensibly because of their strong condemnation of Belarus President Alexander Lukashenko’s crackdown on demonstrators following his controversial victory. Other Ghostwriter campaigns pushed fake stories about the demonstrations being orchestrated by the US and its allies.
Alden Wahlstrom, an analyst at Mandiant, says UNC1151’s role has been to support Ghostwriter campaigns. As an example, he points to one campaign in which UNC1151 sent multiple emails that supported or referenced Ghostwriter operations and narratives to target audiences. In another instance, UNC1151 targeted private email addresses belonging to Polish officials whose social media accounts were later abused to support Ghostwriter’s dissemination of fake news.
“UNC1151 seems to provide operational support for Ghostwriter operations alongside its cyber-espionage activity,” says Gabrielle Roncone, technical threat intelligence analyst at Mandiant. “UNC1151’s cyber-espionage activity includes credential harvesting and malware targeting against entities, primarily in Poland, Ukraine, and Lithuania. We have not observed evidence suggesting that UNC1151 provides any other operational support [for other] operations or cyber-espionage activity.”
As part of its research, Mandiant examined potential Russian participation in UNC1151 and Ghostwriter operations. However, despite some high-level overlaps between UNC1151 and some Russian threat groups, there was not enough evidence to either confirm or refute a Russian hand in the disinformation campaign, according to Mandiant.
Karim Hijazi, CEO of Prevailion, says Mandiant’s conclusion about Belarus being the actor behind Ghostwriter is interesting because it contradicts the findings of German cyber officials and others about Russian involvement in the activity.
“Mandiant has a strong reputation for attribution,” Hjazi says. “If they have new information which suggests it is a Belarusian actor, then that is certainly something worth taking very seriously.”
Prevailion recently conducted its own analysis of Ghostwriter/UNC1151 and discovered that the infrastructure supporting the operation was significantly larger than previously thought. The security vendor found 81 more domains than previously known that were being used for Ghostwriter-related phishing purposes. The campaigns targeted a broad swath of users, including those belonging to the Polish government and Ukrainian and French military.
Hijazi says it would be surprising if Russia did not have a hand in the Ghostwriter operation. “They could be providing support, or they could be the ones who are sponsoring it,” he says. “But it seems unlikely to me that Belarus would undertake this kind of effort entirely on its own.” He says it’s possible that attacks like the one targeting Germany’s elections were a proxy operation that Belarus carried out on Russia’s behalf.
He notes that while Mandiant and EU officials may have come to different conclusions on the nation-state behind the activity, both have noted a military intelligence involvement in it. “The fact that both suspect this is a military instead of intelligence operation is very concerning because a military operation is more likely to take aggressive actions,” he says.
Also, assuming Mandiant’s Belarus attribution is correct, it would show that disinformation campaigns, including election interference efforts and psy-ops missions aimed at sowing internal dissent, are spreading beyond Russia and the other usual suspects.
“Warning bells should be ringing about this, not only in Europe, but around the world,” Hijazi says. “Cyber disinformation and political inference efforts are not going to slow down. They’re going to get worse.”