ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > Operation Ghostwriter

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Operation Ghostwriter

NamesOperation Ghostwriter (FireEye)
UNC1151 (FireEye)
CountryBelarus Belarus
SponsorState-sponsored
MotivationInformation theft and espionage, Sabotage and destruction
First seen2017
Description(FireEye) Mandiant Threat Intelligence has tied together several information operations that we assess with moderate confidence comprise part of a broader influence campaign—ongoing since at least March 2017—aligned with Russian security interests. The operations have primarily targeted audiences in Lithuania, Latvia, and Poland with narratives critical of the North Atlantic Treaty Organization’s (NATO) presence in Eastern Europe, occasionally leveraging other themes such as anti-U.S. and COVID-19-related narratives as part of this broader anti-NATO agenda. We have dubbed this campaign “Ghostwriter.”

Many, though not all of the incidents we suspect to be part of the Ghostwriter campaign, appear to have leveraged website compromises or spoofed email accounts to disseminate fabricated content, including falsified news articles, quotes, correspondence and other documents designed to appear as coming from military officials and political figures in the target countries.
ObservedSectors: Defense, Education, Government, Media.
Countries: Colombia, Estonia, France, Germany, Ireland, Kuwait, Latvia, Lithuania, Poland, Switzerland, Ukraine.
Tools usedHALFSHELL, RADIOSTAR, VIDEOKILLER, WhisperGate.
Operations performed2021Ghostwriter Update: Cyber Espionage Group UNC1151 Likely Conducts Ghostwriter Influence Activity
<https://content.fireeye.com/web-assets/rpt-unc1151-ghostwriter-update>
Mar 2021German Parliament targeted again by Russian state hackers
<https://www.bleepingcomputer.com/news/security/german-parliament-targeted-again-by-russian-state-hackers/>
Jan 2022Ukraine suspects group linked to Belarus intelligence over cyberattack
<https://www.reuters.com/world/europe/exclusive-ukraine-suspects-group-linked-belarus-intelligence-over-cyberattack-2022-01-15/>
Jan 2022Operation “Bleeding Bear”
Destructive malware targeting Ukrainian organizations
<https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/>
Information<https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/Ghostwriter-Influence-Campaign.pdf>
<https://www.prevailion.com/diving-deep-into-unc1151s-infrastructure-ghostwriter-and-beyond/>
<https://www.mandiant.com/resources/unc1151-linked-to-belarus-government>

Last change to this card: 27 January 2022

Download this actor card in PDF or JSON format

Previous: Operation Epic Manchego
Next: Operation Ghoul

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]