Social Media Disinformation Targeting NATO

8925820866?profile=RESIZE_400xAn ongoing disinformation campaign called "Ghostwriter," which leverages compromised social media accounts is targeting several NATO member countries in Europe.  Ghostwriter is attempting to undermine confidence in the defensive organization as well as spread discord in Eastern Europe.  Researchers who uncovered the campaign in July 2020, have now documented an additional 20 incidents related to the cyber operation, including at least one earlier in 2021. 

The Ghostwriter campaign is primarily aimed at citizens of Poland, Lithuania, and Latvia, researchers report.  The operation is mainly designed to undermine confidence in NATO operations in Eastern Europe as well as generate opposition to the deployment of soldiers from other countries, including the US and Canada.[1] 

The disinformation campaign has spread to parts of Western Europe, including Germany, where reports surfaced in local news media last March about spear-phishing attacks that targeted members of that country's Parliament.  The group behind the campaign uses website compromises, spoofed emails, and social media posts from "inauthentic personas," according to the report. Those behind the campaign have also deployed phishing emails laced with malware in an attempt to harvest credentials.

"Certainly anti-US narratives are getting mixed up in this, but the campaign itself is very much focused on undermining perceptions of the US and NATO in these local communities, specifically Eastern European countries," says FireEye's senior manager for information operations analysis. "Just because it's local right now in Eastern Europe does not mean that we should not be concerned by it because these types of tactics are readily deployable elsewhere.  So, it's always possible that this actor or perhaps another will seek to use the same type of tactics in Western European countries or even in the US."

Researchers attribute at least part of this campaign to an attack group that has not been previously documented; who is labeled as UNC1151.  "We now also assess with high confidence that UNC1151, a suspected state-sponsored cyberespionage actor that engages in credential harvesting and malware campaigns, conducts at least some components of Ghostwriter activity," according to a research report.  It appears that UNC1151 has been in operation since at least 2017.

Analysts say that it has not tied UNC1151 to a particular nation-state.  And it says that another attack group may be involved in some aspects of this particular influence operation.  "You could have a kind of technical group that's conducting intrusion operations, and at the same time there's another entity that believes a good use of these attacks is standing up fake social media profiles or altering blogs to publish a certain kind of narrative," an analyst says.

The report says the group behind the campaign likely stole credentials for Facebook and Twitter accounts so they could use the accounts to send disinformation posts.  For example, several accounts belonging to politicians in Poland was taken over between October 2020 and January and then used to discredit the country's government.  "The incidents also touched on some consistent themes: two involved the dissemination of compromising photos of officials and people with whom they are associated, two falsely implicated the respective officials as criticizing female activists and one falsely claimed that an official wanted to renounce her affiliation with the [Law and Justice] party," according to the report.

In October 2020, the FireEye researchers found fake news articles written in both English and Polish that pushed a narrative that NATO was preparing for a war with Russia and that Poland, Latvia and Lithuania would become battlegrounds.  "In addition to spreading this narrative via a fabricated article published to multiple websites, including sites used in previous Ghostwriter operations, links to that article were also disseminated via posts by multiple compromised social media accounts belonging to Polish officials," researchers note. "We observed overlaps between this operation and some of the Polish social media compromises."

The global vice president for security research at New Net Technologies (NNT), says this type of disinformation campaign can sow doubts about the motives of various governments and institutions.  "The vector used by UNC1151 is particularly insidious, as they are trying to exploit accounts of trusted sources to spread that different narrative," NNT says. "The really bad part of this approach is that - even if some of those account takeovers are discovered and the story about them being compromised is told - one question remains in the public. That question is: What is the truth?"

Red Sky Alliance has been collecting, analyzing, and documenting cyber threats for 9+ years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge.  Many past tactics are often dusted off and reused in current malicious campaigns.  Red Sky Alliance can provide actionable cyber intelligence and weekly blacklists to help protect your network. 

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com

Weekly Cyber Intelligence Briefings:


Weekly Cyber Intelligence Briefings
:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/3702558539639477516

 

[1] https://www.bankinfosecurity.com/ghostwriter-disinformation-campaign-targets-nato-allies-a-16481

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!