Incident I00065: 'Ghostwriter' Influence Campaign: Unknown Actors Leverage Website Compromises and Fabricated Content to Push Narratives Aligned With Russian Security Interests

Summary: “Mandiant Threat Intelligence has tied together several information operations that we assess with moderate confidence comprise part of a broader influence campaign—ongoing since at least March 2017—aligned with Russian security interests. The operations have primarily targeted audiences in Lithuania, Latvia, and Poland with narratives critical of the North Atlantic Treaty Organization’s (NATO) presence in Eastern Europe, occasionally leveraging other themes such as anti-U.S. and COVID-19-related narratives as part of this broader anti-NATO agenda. We have dubbed this campaign “Ghostwriter.””
incident type: campaign
Year started: 2020.0
Countries: Belarus , Lithuania, Latvia, Poland
Found via:
Date added: 2024-03-12

Reference	Pub Date	Authors	Org	Archive
https://www.mandiant.com/resources/blog/ghostwriter-influence-campaign	2020/07/28	Lee Foster, Sam Riddell, David Mainor, Gabby Roncone	Mandiant	https://web.archive.org/web/20240621162043/https://cloud.google.com/blog/topics/threat-intelligence/ghostwriter-influence-campaign/

Technique	Description given for this incident
T0141.001 Acquire Compromised Account	IT00000215 ”Overall, narratives promoted in the five operations appear to represent a concerted effort to discredit the ruling political coalition, widen existing domestic political divisions and project an image of coalition disunity in Poland. In each incident, content was primarily disseminated via Twitter, Facebook, and/ or Instagram accounts belonging to Polish politicians, all of whom have publicly claimed their accounts were compromised at the times the posts were made." This example demonstrates how threat actors can use T0141.001: Acquire Compromised Account to distribute inauthentic content while exploiting the legitimate account holder’s persona.

Technique

Description given for this incident

T0141.001 Acquire Compromised Account

IT00000215 ”Overall, narratives promoted in the five operations appear to represent a concerted effort to discredit the ruling political coalition, widen existing domestic political divisions and project an image of coalition disunity in Poland. In each incident, content was primarily disseminated via Twitter, Facebook, and/ or Instagram accounts belonging to Polish politicians, all of whom have publicly claimed their accounts were compromised at the times the posts were made."

This example demonstrates how threat actors can use T0141.001: Acquire Compromised Account to distribute inauthentic content while exploiting the legitimate account holder’s persona.

DO NOT EDIT ABOVE THIS LINE - PLEASE ADD NOTES BELOW

2.5 KiB Raw Blame History Unescape Escape

Incident I00065: 'Ghostwriter' Influence Campaign: Unknown Actors Leverage Website Compromises and Fabricated Content to Push Narratives Aligned With Russian Security Interests

2.5 KiB

Raw Blame History