A team of hackers associated with the Ghostwriter cyber-operation, as part of which the emails of Polish politicians were leaked, may have connections to the Belarusian government, warns American cybersecurity company Mandiant.
In a detailed report, Mandiant Threat Intelligence assessed with “high confidence” that the hacking group known as UNC1151 was connected with Belarusian authorities, due to technical and geopolitical factors. The company’s experts also noted that the Ghostwriter hacking campaign was at least partially the work of the Belarusian regime.
According to Mandiant, the disinformation part of the Ghostwriter operation started in 2016 and the cyber-espionage part in 2017. The campaign received its name due to the hackers’ initial tactics which saw them break into local portal systems and add false information aimed mainly against NATO soldiers.
Since that period, the operation has expanded its scope to include the theft of sensitive data and breaking into the online accounts of politicians, the culmination of which was the publishing of e-mails from the private account of the head of the Polish PM’s Chancellery Michał Dworczyk, which is ongoing till this day.
In early June, Polish media reported that the hackers had managed to break into Michał Dworczyk’s private email account. Since then, mails and screenshots from his account have appeared on Telegram channels. The cyberattack against Dworczyk was not the only one in recent months. In fact, there has been a whole series of hack attacks against the email accounts of United Right politicians
According to Mandiant, both technical data and the aims of UNC1151 operations point strongly to Belarusian participation. The company noted that the operation (initially directed against the presence of NATO soldiers on the Eastern flank) has changed its goals and later targeted mainly the governments and societies of Belarus’s neighbors and the Belarusian opposition itself.
“Promoted narratives have focused on alleging corruption or scandal within the ruling parties in Lithuania and Poland, attempting to create tensions in Polish-Lithuanian relations, and discrediting the Belarusian opposition,” the report stated.
Some of the hackers’ activities also concerned the controversies associated with the construction of a Belarusian nuclear reactor near the border with Lithuania.
“We cannot rule out Russian contributions to either UNC1151 or Ghostwriter. However, at this time, we have not uncovered direct evidence of such contributions,” the report also reads.
Mandiant was the first institution to identify the Ghostwriter cyberoperation that was being conducted since 2016. It was initially thought to have been the work of Russian intelligence services, and the head of EU diplomacy, Josep Borrell, also pointed to Russian participation in a September statement.
