Ghostwriter (hacker Group)

Ghostwriter also known as UNC1151 is a hacker group allegedly originating from Belarus. According to the cybersecurity firm Mandiant, the group has spread disinformation critical of NATO since at least 2016.

History

The name Ghostwriter comes from the group's first attacks, whereby they would steal credentials of journalists or publishers and publish fake articles using those credentials. Hence, the group effectively became unwanted ghostwriters for those with stolen credentials. UNC1151 is an internal company name by Mandiant given to uncategorized groups of "cyber intrusion activity."

The European Union has blamed this group for hacking German government officials.

EU's foreign policy chef Josep Borrell has threatened Russia for sanctions.

According to Serhiy Demedyuk, deputy secretary of the national security and defense council of Ukraine, the group was responsible for defacement of Ukrainian government websites in January 2022.

In February 2022 The Register reported that a Ukrainian CERT had announced that the group was targeting "private ‘i.ua’ and ‘meta.ua’ mailaccounts of Ukrainian military personnel and related individuals" as part of a phishing attack during the invasion of Ukraine. Mandiant said that two domains mentioned by the CERT, ''i a-passport pace'' and ''id igmir pace'' were known command and control domains of the group. Mandiant also said "We are able to tie the infrastructure reported by CERT.UA to UNC1151, but have not seen the phishing messages directly. However, UNC1151 has targeted Ukraine and especially its military extensively over the past two years, so this activity matches their historical pattern."

Characteristics and techniques

The group has executed spear-phishing campaigns against members of legitimate press to infiltrate the content management systems of those organizations. Then, the group uses the system to publish their own fake stories.

References

Hacker groups
Hacking in the 2020s
{{computer-security-stub