Direct traces of a cyberespionage operation, part of which is the leakage of e-mails, among others Michał Dworczyk, lead them to Minsk and Belarusian services, determined analysts from the international company Mandiant, which studies cyber threats in the world. At the same time, they do not rule out that Russia is behind the entire operation Ghostwriter, which is operated by the hacker group UNC1151. The analysts’ conclusions are largely in line with the findings published in the summer on tvn24.pl by journalists from the Reporters Foundation. Summary by Anna Gielewska.
Members of the UNC1151 group, which supports the Ghostwriter campaign, are based in Minsk, according to the latest update of the Mandiant Threat Intelligence report. “The UNC1151 group, which provides technical support for Operation Ghostwriter, is linked to the government of Belarus,” said cyberanalysts. They add that “Belarus is also at least partially responsible for the Ghostwriter campaign”, while not excluding Russia’s contribution to UNC1151 or Ghostwriter.
Goal: NATO and Belarus’s neighbors
According to Mandiant’s findings on Tuesday:
– the actions of the UNC1151 group, attacking institutions and private entities in Ukraine, Lithuania, Latvia, Poland and Germany, are in line with the interests of the Belarusian government, and the attacks are also targeted at Belarusian oppositionists
– apart from domains used around the world, the group impersonates popular domains in these five countries (in Poland, for example, these are, for example, websites that also offer e-mail services)
– although most of the attacks carried out by UNC1151 were against countries neighboring Belarus, attacks in other countries were also reported (especially in 2016-2019), which may indicate that “UNC1151 also supports additional targets”
– information attacks as part of the Ghostwriter operation before 2020 hit NATO, from mid-2020 they focused primarily on Belarus’s neighbors.
Main beneficiary: the Belarusian regime
The latest conclusions of Mandiant analysts are largely in line with the findings of journalists from the Reporters Foundation, published in April and summer on tvn24.pl and vsquare.org. As we wrote with Julia Dauksza at the time, the e-mail scandal of the PiS government is mainly used by the Belarusian regime, but the Ghostwriter campaign is also pursuing Russian goals.
Let us recall some of those findings:
– there is a direct connection between the Ghostwriter operation, which pursues Russian targets, and the attacks on Dworczyk’s mailboxes;
– it cannot be ruled out that the access to the accounts and the data on them obtained by the UNC1151 group are used in several independent operations or are used by several cooperating groups conducting various types of cyberespionage and disinformation activities;
– at the beginning of a series of phishing attacks (phishing logins and passwords with the help of emails imitating popular services), which had been going on since the beginning of the pandemic, the perpetrators tried to gain access to, inter alia, the remote work environment of the Ministry of National Defense, and later also, for example, for military purposes in Ukraine;
– there are some similarities between the pattern of the cyber-espionage group UNC1151, involved in the Ghostwriter campaign, and the activities of groups known as Fancy Bear and Sandworm, collaborating on high-profile international hacking attacks behind GRU
As we wrote at the time, as early as September 2020, in attacks using hacked accounts of Polish users, the Ghostwriter operation appeared in the Belarusian thread (at that time these attacks mainly hit Polish-Lithuanian relations).
Means: Belarusian propaganda machine
From the beginning of the e-mail scandal, the contents of Michał Dworczyk’s mailbox were widely used by the Belarusian propaganda machine, which is also pointed out by the authors of the latest Mandiant report. The Belarusian regime media use them to give credence to the narrative that the protests against the results of the presidential election were inspired and financed from Poland. They also refer to the Russian-language Telegram channel, where alleged e-mails from Dworczyk are published with a translation into Russian, considered by Mandiant to be one of the “source resources used in the Ghostwriter operation”.
As we wrote in July, the information that “the Polish regime censors social media from inconvenient information about its blatant interference in Belarus’ affairs”, a channel called “OMON Moscow” (the post was deleted a moment later).
Strategy: impersonating Polish entities
Cyberanalytical companies make attribution (i.e. assigning attacks to a specific group) on the basis of detailed technical analyzes, primarily research on the infrastructure used to carry out attacks (i.e. IP addresses, DNS servers or SSL certificates).
Mandiant points out that the historical domains used by UNC1151 mimicked the websites of entities such as the Maltese government and the Kuwaiti army, which are outside the immediate geographical vicinity of Belarus. Newer domains used by UNC115 impersonate entities related to targets in Poland, Lithuania and Ukraine.
We have also described these relationships and similarities between the domains assigned to UNC1151 on tvn24.pl and vsquare.org. The trail ended on a non-existent street in Kiev or in the Altai Krai in Siberia, where several dozen domains and subdomains were registered, prepared to obtain passwords to popular services (e.g. Facebook, Twitter, iCloud), Polish mailboxes on wp.pl and Onet, but also the Polish Ministry of National Defense or Ukroboronprom, a Ukrainian arms concern. Chronologically, the oldest domain was created in March 2020 and led to a login page related to the Ukrainian military.
Subsequent clues, however, led to the domain patterns used in even earlier and more complex attacks attributed by other cybersecurity companies, the APT28 group (APT stands for “advanced persistent threat” or advanced persistent threat). This is the alias given to a unit operating in the media as the Fancy Bear “activist group” and unmasked as a unit of the GRU, Russian military intelligence. The group also worked with another major hacker group linked to the Russian security services, Sandworm, on the loudest attacks in recent years.
Russian track? “Collaboration is likely”
According to Mandiant analysts, there is no technical evidence at this stage to link the activities of UNC1151 and famous Russian groups, and UNC1151 employs unique tools and behaviors. “We have no direct evidence of Russian involvement in UNC1151 or Operation Ghostwriter,” analysts write, stressing, however, that the entire operation coincides with Russian targets, and “cooperation is possible given the close ties between governments.” “Russia has knowledge of offensive cyber and information operations that could support the operation,” they add.
The Russian scenario is indicated, among others, by the previous findings of the German services, which after a series of cyber attacks on Bundestag deputies attributed operation “Ghostwriter” to the GRU activities, which was revealed, among others, by journalist for the German public television Hakan Tanriverdi.
At the end of October, the EU Council condemned Operation Ghostwriter, pointing to its Russian inspiration: “The observed malicious cyber-activity is targeting numerous members of parliament, government officials, politicians, and representatives of the press and civil society in the EU. It consists of gaining access to computer systems and personal accounts and data theft. These actions (…) are an attempt to undermine our democratic institutions and processes, because they serve, inter alia, to disinformate and manipulate information “- the communique said.
Considering the scale of operations in several countries at the same time, large commitment of forces and resources, geostrategic goals, and distribution in the Russian-language network, it can be assumed that this is not the level of independent activities of Belarusian services, without participation, supervision, training or support from Russian services.
Meanwhile, five months of uninterrupted leakage from the e-mail box of the head of the Chancellery of the Prime Minister, to which the Polish government remains helpless, have just passed. Almost every day, subsequent e-mails revealing the backstage of the activities of leading people in the country are published on a dedicated website. And this is still only the tip of the iceberg – as we already revealed in March on tvn24.pl, there is still potentially a huge amount of sensitive information at the disposal of those behind the “Ghostwriter” operation.
Main photo source: Shutterstock