🇧🇾

Operation Ghostwriter

APT Group Sabotage and destruction Information theft and espionage 1 zero-day CVE ETDA ✓

Also Known As 6 names

DEV-0257 PUSHCHA Storm-0257 TA445 UAC-0057 UNC1151

Target Countries 14

Countries highlighted in red

Belarus Switzerland Colombia Germany Estonia France Ireland Kuwait Lithuania Latvia Mexico Poland Ukraine United States

Sectors Targeted

Computer Systems Design Services 541512 Educational Services 61 Computer Systems Design and Related Services 5415 Media Internet Publishing and Broadcasting and Web Search Portals 51913 Space Research and Technology 927 Public Administration 92 Periodical Publishers 51112 Other Information Services 519 Performing Arts Companies 7111 Telecommunications 517 Defense National Security and International Affairs 928110 Computer Systems Design and Related Services 54151 National Security and International Affairs 928 Government Arts, Entertainment, and Recreation 71 Publishing Industries (except Internet) 511 Education

Details

Origin 🇧🇾 BY

Last Updated 11 May 2024

Malware Families 1

NJRAT

MITRE ATT&CK 50

T1012 - Query Registry T1027 - Obfuscated Files or Information T1033 - System Owner/User Discovery T1036 - Masquerading T1053.005 - Scheduled Task T1055 - Process Injection T1057 - Process Discovery T1059 T1059.003 - Windows Command Shell T1059.005 - Visual Basic T1059.007 - JavaScript T1071 T1071.001 - Web Protocols T1078 - Valid Accounts T1082 - System Information Discovery T1083 - File and Directory Discovery T1102.002 - Bidirectional Communication T1102.003 - One-Way Communication T1104 T1105 - Ingress Tool Transfer T1114 - Email Collection T1114.001 - Local Email Collection T1114.002 - Remote Email Collection T1132.001 - Standard Encoding T1137 T1140 - Deobfuscate/Decode Files or Information T1176 - Browser Extensions T1190 - Exploit Public-Facing Application T1195.001 T1203 T1204.002 - Malicious File T1205 - Traffic Signaling T1208 T1218 T1218.011 - Rundll32 T1486 T1518 - Software Discovery T1518.001 - Security Software Discovery T1539 - Steal Web Session Cookie T1547 T1547.001 - Registry Run Keys / Startup Folder T1566 - Phishing T1566.001 - Spearphishing Attachment T1573.001 - Symmetric Cryptography T1573.002 - Asymmetric Cryptography T1574 T1583.001 - Domains T1584.001 - Domains T1586 - Compromise Accounts T1588.001 - Malware

Related Zero-Days 1

CVE-2025-24200

Known Names 9 entries

Operation Ghostwriter FireEye

UNC1151 FireEye

TA445 Proofpoint

UAC-0051 CERT-UA

UAC-0057 CERT-UA

PUSHCHA Google

DEV-0257 Microsoft

Storm-0257 Microsoft

White Lynx Palo Alto

Observed Target Countries 12

Based on ETDA data — countries highlighted in red

Belarus Colombia Estonia France Germany Ireland Kuwait Latvia Lithuania Poland Switzerland Ukraine

Description

(FireEye) Mandiant Threat Intelligence has tied together several information operations that we assess with moderate confidence comprise part of a broader influence campaign—ongoing since at least March 2017—aligned with Russian security interests. The operations have primarily targeted audiences in Lithuania, Latvia, and Poland with narratives critical of the North Atlantic Treaty Organization’s (NATO) presence in Eastern Europe, occasionally leveraging other themes such as anti-U.S. and COVID-19-related narratives as part of this broader anti-NATO agenda. We have dubbed this campaign “Ghostwriter.” Many, though not all of the incidents we suspect to be part of the Ghostwriter campaign, appear to have leveraged website compromises or spoofed email accounts to disseminate fabricated content, including falsified news articles, quotes, correspondence and other documents designed to appear as coming from military officials and political figures in the target countries.

Tools Used 5

Cobalt Strike HALFSHELL Impacket RADIOSTAR VIDEOKILLER

Operations 13

2021 Ghostwriter Update: Cyber Espionage Group UNC1151 Likely Conducts Ghostwriter Influence Activity https://content.fireeye.com/web-assets/rpt-unc1151-ghostwriter-update

2021-03 German Parliament targeted again by Russian state hackers https://www.bleepingcomputer.com/news/security/german-parliament-targeted-again-by-russian-state-hackers/

2022-01 Ukraine suspects group linked to Belarus intelligence over cyberattack https://www.reuters.com/world/europe/exclusive-ukraine-suspects-group-linked-belarus-intelligence-over-cyberattack-2022-01-15/

2022-02 Ukraine links Belarusian hackers to phishing targeting its military https://www.bleepingcomputer.com/news/security/ukraine-links-belarusian-hackers-to-phishing-targeting-its-military/

2022-02 In the past several days, we’ve seen increased targeting of people in Ukraine, including Ukrainian military and public figures https://about.fb.com/news/2022/02/security-updates-ukraine/

2022-02 Operation “Asylum Ambuscade” State Actor Uses Compromised Private Ukrainian Military Emails to Target European Governments and Refugee Movement https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails https://www.welivesecurity.com/2023/06/08/asylum-ambuscade-crimeware-or-cyberespionage/

2022-02 Ghostwriter/UNC1151, a Belarusian threat actor, has conducted credential phishing campaigns over the past week against Polish and Ukrainian government and military organizations. https://blog.google/threat-analysis-group/update-threat-landscape-ukraine/

2022-03 GhostWriter APT targets state entities of Ukraine with Cobalt Strike Beacon https://securityaffairs.co/wordpress/129527/apt/ghostwriter-apt-targets-state-entities-of-ukraine-with-cobalt-strike-beacon.html

2022-03 Ghostwriter, a Belarusian threat actor, recently introduced a new capability into their credential phishing campaigns. In mid-March, a security researcher released a blog post detailing a 'Browser in the Browser' phishing technique. https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/

2022-04 Ghostwriter, a Belarusian threat actor, has remained active during the course of the war and recently resumed targeting of Gmail accounts via credential phishing. https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/

2022-04 Malicious campaigns target government, military and civilian entities in Ukraine, Poland https://blog.talosintelligence.com/malicious-campaigns-target-entities-in-ukraine-poland/

2024-04 UNC1151 Strikes Again: Unveiling Their Tactics Against Ukraine’s Ministry of Defence https://cyble.com/blog/unc1151-strikes-again-unveiling-their-tactics-against-ukraines-ministry-of-defence/

2025-01 Ghostwriter | New Campaign Targets Ukrainian Government and Belarusian Opposition https://www.sentinelone.com/labs/ghostwriter-new-campaign-targets-ukrainian-government-and-belarusian-opposition/

Reports & References 5

https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/Ghostwriter-Influence-Campaign.pdf https://www.prevailion.com/diving-deep-into-unc1151s-infrastructure-ghostwriter-and-beyond/ https://www.mandiant.com/resources/unc1151-linked-to-belarus-government https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/

ETDA Profile

Operation Ghostwriter

Origin

Belarus

First Seen 2017

Sponsor State-sponsored

Motivation

Information theft and espionage Sabotage and destruction

View on ETDA APT Groups ↗