Ghostwriter (hacker group)

Last updated
Ghostwriter
Formationc. 2016
Type threat actor
Purpose Disinformation attack
Headquarters Minsk, Belarus [1]
Region
Belarus
Methods phishing
Affiliations Armed Forces of Belarus [1]

Ghostwriter also known as UNC1151 is a hacker group allegedly originating from Belarus. According to the cybersecurity firm Mandiant, the group has spread disinformation critical of NATO since at least 2016. [2]

Contents

History

The name Ghostwriter comes from the group's first attacks, whereby they would steal credentials of journalists or publishers and publish fake articles using those credentials. Hence, the group effectively became unwanted ghostwriters for those with stolen credentials. [3] UNC1151 is an internal company name by Mandiant given to uncategorized groups of "cyber intrusion activity." [4]

The European Union has blamed this group for hacking German government officials.

EU's foreign policy chef Josep Borrell has threatened Russia for sanctions. [5]

According to Serhiy Demedyuk, deputy secretary of the national security and defense council of Ukraine, the group was responsible for defacement of Ukrainian government websites in January 2022. [6]

In February 2022 The Register reported that a Ukrainian CERT had announced that the group was targeting "private ‘i.ua’ and ‘meta.ua’ [email] accounts of Ukrainian military personnel and related individuals" as part of a phishing attack during the invasion of Ukraine. [7] Mandiant said that two domains mentioned by the CERT, i[.]ua-passport[.]space and id[.]bigmir[.]space were known command and control domains of the group. [7] Mandiant also said "We are able to tie the infrastructure reported by CERT.UA to UNC1151, but have not seen the phishing messages directly. However, UNC1151 has targeted Ukraine and especially its military extensively over the past two years, so this activity matches their historical pattern." [7] [6]

Characteristics and techniques

The group has executed spear-phishing campaigns against members of legitimate press to infiltrate the content management systems of those organizations. Then, the group uses the system to publish their own fake stories. [8]

Related Research Articles

<span class="mw-page-title-main">Phishing</span> Attempt to trick a person into revealing information

Phishing is a form of social engineering where attackers deceive people into revealing sensitive information or installing malware such as ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim. As of 2020, it is the most common type of cybercrime, with the FBI's Internet Crime Complaint Centre reporting more incidents of phishing than any other type of computer crime.

<span class="mw-page-title-main">State Security Committee of the Republic of Belarus</span> Belarusian national intelligence agency

The State Security Committee of the Republic of Belarus is the national intelligence agency of Belarus. Along with its counterparts in Transnistria and South Ossetia, it kept the unreformed name after declaring independence.

<span class="mw-page-title-main">Cyberwarfare</span> Use of digital attacks against a nation

Cyberwarfare is the use of cyber attacks against an enemy state, causing comparable harm to actual warfare and/or disrupting vital computer systems. Some intended outcomes could be espionage, sabotage, propaganda, manipulation or economic warfare.

Cyberwarfare by Russia includes denial of service attacks, hacker attacks, dissemination of disinformation and propaganda, participation of state-sponsored teams in political blogs, internet surveillance using SORM technology, persecution of cyber-dissidents and other active measures. According to investigative journalist Andrei Soldatov, some of these activities were coordinated by the Russian signals intelligence, which was part of the FSB and formerly a part of the 16th KGB department. An analysis by the Defense Intelligence Agency in 2017 outlines Russia's view of "Information Countermeasures" or IPb as "strategically decisive and critically important to control its domestic populace and influence adversary states", dividing 'Information Countermeasures' into two categories of "Informational-Technical" and "Informational-Psychological" groups. The former encompasses network operations relating to defense, attack, and exploitation and the latter to "attempts to change people's behavior or beliefs in favor of Russian governmental objectives."

<span class="mw-page-title-main">Advanced persistent threat</span> Set of stealthy and continuous computer hacking processes

An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

Fancy Bear is a Russian cyber espionage group. Cybersecurity firm CrowdStrike has said with a medium level of confidence that it is associated with the Russian military intelligence agency GRU. The UK's Foreign and Commonwealth Office as well as security firms SecureWorks, ThreatConnect, and Mandiant, have also said the group is sponsored by the Russian government. In 2018, an indictment by the United States Special Counsel identified Fancy Bear as GRU Unit 26165.

Lazarus Group is a cybercrime group made up of an unknown number of individuals run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and Zinc.

Dridex also known as Bugat and Cridex is a form of malware that specializes in stealing bank credentials via a system that utilizes macros from Microsoft Word.

On December 23, 2015, the power grid in two western oblasts of Ukraine was hacked, which resulted in power outages for roughly 230,000 consumers in Ukraine for 1-6 hours. The attack took place during the ongoing Russo-Ukrainian War (2014-present) and is attributed to a Russian advanced persistent threat group known as "Sandworm". It is the first publicly acknowledged successful cyberattack on a power grid.

Charming Kitten is an Iranian government cyberwarfare group, described by several companies and government officials as an advanced persistent threat.

<span class="mw-page-title-main">Russian–Ukrainian cyberwarfare</span> Informatic component of the confrontation between Russia and Ukraine

Cyberwarfare is a component of the confrontation between Russia and Ukraine since the collapse of the Soviet Union in 1991. While the first attacks on information systems of private enterprises and state institutions of Ukraine were recorded during mass protests in 2013, Russian cyberweapon Uroburos had been around since 2005. Russian cyberwarfare continued with the 2015 Ukraine power grid hack at Christmas 2015 and again in 2016, paralysis of the State Treasury of Ukraine in December 2016, a Mass hacker supply-chain attack in June 2017 and attacks on Ukrainian government websites in January 2022.

<span class="mw-page-title-main">Ukrainian Cyber Alliance</span>

The Ukrainian Cyber Alliance is a community of Ukrainian cyber activists from various cities in Ukraine and around the world. The alliance emerged in the spring of 2016 from the merger of two cyber activists, FalconsFlame and Trinity, and was later joined by the group RUH8 and individual cyber activists from the CyberHunta group. The hacktivists united to counter Russian aggression in Ukraine.

<span class="mw-page-title-main">Russian information war against Ukraine</span>

A Russian concept of information war against Ukraine was first enunciated by Valery Gerasimov in 2013 to describe a Western information war that he believed Russia needed to counter. He believed that color revolutions and the Arab Spring had been instigated by Western governments, and posed a threat to the Russian Federation. His definition reflected his assessment of Western involvement in these events, particularly in the 2011–2013 Russian protests.

Events in the year 2021 in Ukraine.

Dark Basin is a hack-for-hire group, discovered in 2017 by Citizen Lab. They are suspected to have acted on the behalf of companies such as Wirecard and ExxonMobil.

<span class="mw-page-title-main">2022 Ukraine cyberattacks</span> Attack on Ukrainian government and websites

During the prelude to the 2022 Russian invasion of Ukraine and the 2022 Russian invasion of Ukraine, multiple cyberattacks against Ukraine were recorded, as well as some attacks on Russia. The first major cyberattack took place on 14 January 2022, and took down more than a dozen of Ukraine's government websites. According to Ukrainian officials, around 70 government websites, including the Ministry of Foreign Affairs, the Cabinet of Ministers, and the Security and Defense Council, were attacked. Most of the sites were restored within hours of the attack. On 15 February, another cyberattack took down multiple government and bank services.

<span class="mw-page-title-main">Belarusian involvement in the 2022 Russian invasion of Ukraine</span>

Belarus, a close ally of Russia, has supported its eastern neighbour in the 2022 Russian invasion of Ukraine. Before the start of the offensive, Belarus allowed the Russian Armed Forces to perform weeks-long military drills on its territory; however, the Russian troops did not exit the country after they were supposed to finish. Belarus allowed Russia to stage part of the invasion from its territory, giving Russia the shortest possible land route to Ukraine's capital, Kyiv.

The IT Army of Ukraine is a volunteer cyberwarfare organisation created at the end of February 2022 to fight against digital intrusion of Ukrainian information and cyberspace after the beginning of the Russian invasion of Ukraine on February 24, 2022. The group also conducts offensive cyberwarfare operations, and Chief of Head of State Special Communications Service of Ukraine Victor Zhora said its enlisted hackers would only attack military targets.

Pipedream is a software framework for malicious code targeting programmable logic controllers (PLCs) and industrial control systems (ICS). First publicly disclosed in 2022, it has been described as a "Swiss Army knife" for hacking. It is believed to have been developed by state-level Advanced Persistent Threat actors.

Anonymous, a decentralized international activist and hacktivist collective, has conducted numerous cyber-operations against Russia since February 2022 when the 2022 Russian invasion of Ukraine began.

References

  1. 1 2 Satter, Raphael (2022-02-25). "Ukraine says its military is being targeted by Belarusian hackers". Reuters. Retrieved 2022-03-07.
  2. "Ghostwriter Update: Cyber Espionage Group UNC1151 Likely Conducts Ghostwriter Influence Activity | Mandiant". www.mandiant.com. Retrieved 2022-03-02.
  3. "'Ghostwriter' Influence Campaign" (PDF). FireEye . Retrieved 5 March 2022.
  4. "DebUNCing Attribution: How Mandiant Tracks Uncategorized Threat Actors | Mandiant". www.mandiant.com. Retrieved 2022-03-07.
  5. "EU threatens sanctions on Russia over 'malicious cyber activities'". euronews. 2021-09-24. Retrieved 2021-09-24.
  6. 1 2 Polityuk, Pavel (2022-01-16). "EXCLUSIVE Ukraine suspects group linked to Belarus intelligence over cyberattack". Reuters. Retrieved 2022-03-07.
  7. 1 2 3 Corfield, Gareth (2022-02-25). "Ukraine seeks volunteers to defend networks as Russian troops menace Kyiv". The Register . Retrieved 2022-02-26.
  8. Greenberg, Andy. "Hackers Broke Into Real News Sites to Plant Fake Stories". Wired. ISSN   1059-1028 . Retrieved 2022-03-02.