Mandiant links Belarus to Ghostwriter campaign, which leaked stolen data and pushed disinformation

The effort has boosted anti-NATO messaging and appeared similar to Russian disinformation outfits.
Belarus' President Alexander Lukashenko addresses employees of the Minsk Wheel Tractor Plant (MZKT), in Minsk, on August 17, 2020.(Photo by Nikolay PETROV / BELTA / AFP) (Photo by NIKOLAY PETROV/BELTA/AFP via Getty Images)

The Belarusian government is partially responsible for a years-long influence operation targeting Latvia, Lithuania and Poland, according to research published Tuesday.

Operation “Ghostwriter,” a propaganda campaign that has pushed fabricated narratives about the North Atlantic Treaty Organization and COVID-19, among other topics, is the work of people in Belarus, including the country’s military, as part of an overall effort to hack and leak information, pollute political discourse with amplified narratives, and collect intelligence, according to the threat intelligence firm Mandiant, which has tracked the group for years.

Investigators, including from the European Union, previously suggested that the operation aligned with Russian interests, as the social media campaigns apparently sought to sow mistrust in NATO’s military presence in Eastern Europe, a frequent goal of the Kremlin.

The findings show that complex information operations once associated with Russia and China have become more common, Ben Read, director of Mandiant’s cyber espionage team, told CyberScoop.


“The tools, the idea of doing these things, is accessible to a lot more people,” he said. “It’s a much more complicated field than five years ago.”

An EU spokesperson told CyberScoop that the EU has “seen the reports and are currently assessing the content. We welcome the researchers’ efforts to dig deeper and explain better to the public how those campaigns work. The report expands the body of evidence with regard to Ghostwriter attacks and other foreign information manipulation and interference/hybrid operations.”

The Ghostwriter group is accused of harvesting stolen passwords, leaking hacked data and to promoting specific political narratives. The European Union in September formally blamed the Russian government as being behind Ghostwriter, and called on Moscow “to adhere to the norms of responsible state behaviour in cyberspace.” The EU statement came out weeks after the German government accused the Russians of targeting German lawmakers ahead of elections in that country.

Suspected Russian operatives have used similar efforts, such as a group known loosely as Secondary Infektion, which has aimed to amplify attention on similar narratives.

Research published in April 2021 detailed how Ghostwriter dumped information that had been stolen from Polish officials’ social media accounts. Credentials for those accounts were taken by a hacking group known as UNC1151, a state-sponsored group distinct from other cyber threat groups, with the apparent goal of destabilizing the internal politics of several NATO countries.


Citing “sensitively sourced technical evidence,” Mandiant reports that the operators behind UNC1151 are likely located in Minsk, Belarus.

Separate technical evidence “supports a link” between UNC1151 and the Belarusian military. The details of the technical evidence, which Mandiant declined to share, has been “directly observed by Mandiant” and “confirmed with other sources. This data, combined with evaluation of targets and the content, provides proof of involvement from the Belarusian government of Aleksandr Lukashenko, an ally of the Russian government.

UNC1151 is thought to support the Ghostwriter campaign, but it remains unclear whether the Belarusian government is in full control.

“Since the disputed August 2020 elections in Belarus, Ghostwriter operations have been more distinctly aligned with Minsk’s interests,” Mandiant wrote. “Promoted narratives have focused on alleging corruption or scandal within the ruling parties in Lithuania and Poland, attempting to create tensions in Polish-Lithuanian relations, and discrediting the Belarusian opposition.”

The bulk of UNC1151’s activity is focused on Ukraine, Latvia, Lithuania, Poland and Germany. Its work also targets Belarusian dissidents, media entities and journalists.


European leaders have accused Lukashenko, the president of Belarus, of manufacturing an ongoing migrant crisis on the border with Poland in retaliation for sanctions imposed by the European Union after accusations of a rigged election. The 2015 migrant crisis in Europe destabilized the European Union, and the current situation is part of a “hybrid attack,” Ursula von der Leyen, the president of the European Commission in Washington, D.C., said last week.

“This is the attempt of an authoritarian regime to try and destabilize its democratic neighbors,” she said, calling it part of a pattern. “We see the cyber attacks, we see the misinformation, now we have this hybrid attack by instrumentalizing migrants and the EU/Belarus border.”

Updated, 11/19/21: To include comment from the EU.

Latest Podcasts