Connect with us

Hi, what are you looking for?



‘Ghostwriter’ – Widespread Disinformation Campaign Associated with Russia

FireEye security researchers have linked a series of disinformation operations that have been ongoing since at least March 2017. 

FireEye security researchers have linked a series of disinformation operations that have been ongoing since at least March 2017. 

Referred to as Ghostwriter, the influence campaign mainly targeted audiences in Lithuania, Latvia, and Poland with themes referencing the North Atlantic Treaty Organization (NATO) presence in Eastern Europe, often using compromised websites or spoofed email accounts to distribute the fake content. 

Aligned with Russian security interests, the campaign also leveraged anti-United States narratives and themes related to the COVID-19 pandemic. Adversaries created at least 14 fake online personas posing as locals, journalists, and analysts to distribute the falsified content via articles and op-eds published to third-party websites such as,, and, among others. 

While some of these incidents have already received attention from researchers, news outlets, and government entities, others remain obscure. Although the attacks haven’t been attributed to a specific actor, the operations are “part of a larger, concerted, and ongoing influence campaign,” FireEye says in its report (PDF). 

“It appears, based on the limited public information available regarding the website compromises we have tied to Ghostwriter, that the actors behind the campaign are relatively well-resourced, either directly possessing traditional cyber threat capabilities themselves or having ready access to operational support from others who do. It is plausible that Ghostwriter operations are conducted by overlapping actors or groups that are also behind other influence campaigns or incidents of cyber threat activity,” FireEye says. 

While some of the aspects of the campaign resemble those of the Secondary Infektion operation, the researchers did not observe cyber threat activity to support the previously detailed operations, and many other attributes of the newly detailed attacks are different. 

Overall, the observed Ghostwriter operations employ a combination of tactics and dissemination of fake content that often changes from one incident to another. However, each operation begins with the creation of a falsified narrative and fake source documentation. 

The false narratives distributed in this campaign rely on fabricated quotes supposedly attributed to officials, as well as falsified official correspondence presented as source for the narratives. Modified images have been employed as well. 

Advertisement. Scroll to continue reading.

Many of the operations abused compromised websites, such as those of news outlets, to publish fake news or documentation. In some cases, the adversaries appear to have replaced existing content on the compromised sites with the fabricated content. 

The adversaries disseminated the Ghostwriter narratives and articles via email, published fabricated articles and op-eds on sites that accept user-generated content, and promoted the content through blogs and pages on Blogspot, Wix, and WordPress. In some cases, social media was used for dissemination. 

According to FireEye, some of the personas abused in the campaign have been coordinating with each other, and many were observed publishing content as part of the same operation. The 14 personas associated with the campaign have been active in at least 15 suspected Ghostwriter operations since 2017. 

“The Ghostwriter campaign leverages traditional cyber threat activity and information operations tactics to promote narratives intended to chip away at NATO’s cohesion and undermine local support for the organization in Lithuania, Latvia, and Poland. While the operations so far have targeted audiences in this limited set of countries, we caution that the same tactics employed in the Ghostwriter campaign can be readily repurposed and used against other target geographies,” FireEye concludes. 

RelatedRussia Behind Spread of Virus Disinformation, U.S. Officials Say

Related: Democrats ‘Gravely Concerned’ Over Foreign Interference in US Vote

Related: Threat to US Elections Not Limited to Russia in 2020

Related: Twitter Closes Thousands of Fake News Accounts Worldwide

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Kim Larsen is new Chief Information Security Officer at Keepit

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

More People On The Move

Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.


An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...