# Incident I00065: 'Ghostwriter' Influence Campaign: Unknown Actors Leverage Website Compromises and Fabricated Content to Push Narratives Aligned With Russian Security Interests * **Summary:** > Mandiant Threat Intelligence has tied together several information operations that we assess with moderate confidence comprise part of a broader influence campaign—ongoing since at least March 2017—aligned with Russian security interests. The operations have primarily targeted audiences in Lithuania, Latvia, and Poland with narratives critical of the North Atlantic Treaty Organization’s (NATO) presence in Eastern Europe, occasionally leveraging other themes such as anti-U.S. and COVID-19-related narratives as part of this broader anti-NATO agenda. We have dubbed this campaign “Ghostwriter.” * **incident type**: campaign * **Year started:** 2020 * **Countries:** Belarus , Lithuania, Latvia, Poland * **Found via:** * **Date added:** 2024-03-12 | Reference(s) | | --------- | | [https://www.mandiant.com/resources/blog/ghostwriter-influence-campaign](https://www.mandiant.com/resources/blog/ghostwriter-influence-campaign) | | Technique | Description given for this incident | | --------- | ------------------------- | | [T0141.001 Acquire Compromised Account](../../generated_pages/techniques/T0141.001.md) | IT00000215 > Overall, narratives promoted in the five operations appear to represent a concerted effort to discredit the ruling political coalition, widen existing domestic political divisions and project an image of coalition disunity in Poland. In each incident, content was primarily disseminated via Twitter, Facebook, and/ or Instagram accounts belonging to Polish politicians, all of whom have publicly claimed their accounts were compromised at the times the posts were made.   This example demonstrates how threat actors can use _T0141.001: Acquire Compromised Account_ to distribute inauthentic content while exploiting the legitimate account holder’s persona. | DO NOT EDIT ABOVE THIS LINE - PLEASE ADD NOTES BELOW