Belarus is allegedly behind a hacking and disinformation campaign that has been targeting Eastern European NATO members since 2016, according to a report released Tuesday by U.S. cybersecurity firm Mandiant. The effort, known as Ghostwriter, includes attempts to instill conflict in the intergovernmental military group, obtain confidential information and spy on dissidents, the Associated Press reported.
NATO members in Eastern Europe that all share borders with Belarus, including Poland, Lithuania, and Latvia, as well as Ukraine, are among the main targets of Ghostwriter. While some members of the European Union have suggested that Russia is involved in the campaign, Mandiant’s report is the first time that Belarus has been accused.
The firm cited compelling forensic evidence in its accusations that Belarus played a role in the hacking, but said that it hadn’t uncovered any firm proof that Russia was also involved. This doesn’t necessarily rule Russia out, but makes it harder to connect to the cyber campaign, the AP reported.
Ben Read, Mandiant’s director of cyber-espionage analysis, did not elaborate on why the firm was so assured that Belarus aided the campaign and that the hackers’ operation was likely located in the Belarusian capital, Minsk. He also didn’t explain why cybersecurity researchers are confident that Belarus’ military is also connected to the hackers, referred to by Mandiant as UNC1151.
Read did say that Mandiant’s conclusions were based on telltale digital footprints and the corroboration of other sources, according to the AP.
For more reporting from the Associated Press, see below.
The Belarus government did not immediately respond to a request for comment. A press officer at the Russian Embassy in Washington had no immediate comment on alleged Russian involvement in Ghostwriter. Russian officials regularly reject accusations they are involved in hacking and disinformation activity.
Mandiant is among the most careful and highly respected cybersleuthing practitioners. It works closely with Western law enforcement and intelligence agencies and has been closely tracking Ghostwriter activity and issuing periodic updates.
Also targeted in the campaign were domestic news media and political opponents of Moscow-allied Belarusian President Alexander Lukashenko prior to the 2020 election. He is accused of rigging his reelection, which triggered massive street protests that his security forces violently repressed. Some of those opponents were later arrested, Mandiant said.
Mandiant’s findings come as the European Union has slapped new sanctions on Belarus for ginning up a crisis on its border with Poland, Latvia and Lithuania by encouraging thousands of migrants from Iraq, Syria and elsewhere in the Middle East to mass at the frontier seeking a way into the European Union.
Analysts believe Lukashenko is taking revenge for previous EU sanctions imposed over his alleged election rigging and his anger over Poland granting dissidents political refuge.
In September, Germany accused Russia of trying to steal data from state and federal lawmakers ahead of September 26 parliamentary elections through a hacking campaign it attributed to Ghostwriter. If any information was stolen in that campaign or access to sensitive computer networks gained, there is no evidence to date of it being used as a political weapon, said Read.
Ghostwriter’s yearslong disinformation efforts were primarily focused on trying to discredit NATO and undercut regional security in Lithuania, Latvia and Poland. False narratives were disseminated through hacks of legitimate news outlets, government websites and spoofed emails.
In one instance, it was claimed that NATO was planning to withdraw from Lithuania in response to the COVID-19 pandemic. Another bogus report claimed German soldiers had desecrated a Jewish cemetery in that country. In another operation, a fabricated letter posted on a Polish military academy website called on Polish troops to resist “the American occupation.”
Since the disputed August 2020 Belarus elections, Ghostwriter operations have been more closely aligned to Lukashenko’s political agenda, attempting in particular to create tensions in Polish-Lithuanian relations.
In March, two Polish government websites were hacked and used to briefly spread a false claim that nuclear waste from Lithuania was threatening Poland. On August 17, a fabricated news item alleging that migrants who escaped from a detention center had murdered a Polish priest was published to the website of the Lithuanian municipality of Prienai, whose mayor was quoted in local media as saying the site had been hacked, Mandiant said.
While most of the hacking by UNC1151 targeted Belarus’ neighbors, some was conducted against countries with no obvious connection to it, Mandiant noted. That includes phishing emails sent in 2019 to the Colombian, Irish and Swiss governments, it said.