FireEye security researchers have linked a series of disinformation operations that have been ongoing since at least March 2017.
Referred to as Ghostwriter, the influence campaign mainly targeted audiences in Lithuania, Latvia, and Poland with themes referencing the North Atlantic Treaty Organization (NATO) presence in Eastern Europe, often using compromised websites or spoofed email accounts to distribute the fake content.
Aligned with Russian security interests, the campaign also leveraged anti-United States narratives and themes related to the COVID-19 pandemic. Adversaries created at least 14 fake online personas posing as locals, journalists, and analysts to distribute the falsified content via articles and op-eds published to third-party websites such as OpEdNews.com, BalticWord.com, and TheDuran.com, among others.
While some of these incidents have already received attention from researchers, news outlets, and government entities, others remain obscure. Although the attacks haven’t been attributed to a specific actor, the operations are “part of a larger, concerted, and ongoing influence campaign,” FireEye says in its report (PDF).
“It appears, based on the limited public information available regarding the website compromises we have tied to Ghostwriter, that the actors behind the campaign are relatively well-resourced, either directly possessing traditional cyber threat capabilities themselves or having ready access to operational support from others who do. It is plausible that Ghostwriter operations are conducted by overlapping actors or groups that are also behind other influence campaigns or incidents of cyber threat activity,” FireEye says.
While some of the aspects of the campaign resemble those of the Secondary Infektion operation, the researchers did not observe cyber threat activity to support the previously detailed operations, and many other attributes of the newly detailed attacks are different.
Overall, the observed Ghostwriter operations employ a combination of tactics and dissemination of fake content that often changes from one incident to another. However, each operation begins with the creation of a falsified narrative and fake source documentation.
The false narratives distributed in this campaign rely on fabricated quotes supposedly attributed to officials, as well as falsified official correspondence presented as source for the narratives. Modified images have been employed as well.
Many of the operations abused compromised websites, such as those of news outlets, to publish fake news or documentation. In some cases, the adversaries appear to have replaced existing content on the compromised sites with the fabricated content.
The adversaries disseminated the Ghostwriter narratives and articles via email, published fabricated articles and op-eds on sites that accept user-generated content, and promoted the content through blogs and pages on Blogspot, Wix, and WordPress. In some cases, social media was used for dissemination.
According to FireEye, some of the personas abused in the campaign have been coordinating with each other, and many were observed publishing content as part of the same operation. The 14 personas associated with the campaign have been active in at least 15 suspected Ghostwriter operations since 2017.
“The Ghostwriter campaign leverages traditional cyber threat activity and information operations tactics to promote narratives intended to chip away at NATO’s cohesion and undermine local support for the organization in Lithuania, Latvia, and Poland. While the operations so far have targeted audiences in this limited set of countries, we caution that the same tactics employed in the Ghostwriter campaign can be readily repurposed and used against other target geographies,” FireEye concludes.
Related: Russia Behind Spread of Virus Disinformation, U.S. Officials Say
Related: Democrats ‘Gravely Concerned’ Over Foreign Interference in US Vote
Related: Threat to US Elections Not Limited to Russia in 2020
Related: Twitter Closes Thousands of Fake News Accounts Worldwide