mirror of
https://github.com/DISARMFoundation/DISARMframeworks.git
synced 2024-12-20 21:34:17 -05:00
27 lines
2.5 KiB
Markdown
27 lines
2.5 KiB
Markdown
# Incident I00065: 'Ghostwriter' Influence Campaign: Unknown Actors Leverage Website Compromises and Fabricated Content to Push Narratives Aligned With Russian Security Interests
|
||
|
||
* **Summary:** <i>“Mandiant Threat Intelligence has tied together several information operations that we assess with moderate confidence comprise part of a broader influence campaign—ongoing since at least March 2017—aligned with Russian security interests. The operations have primarily targeted audiences in Lithuania, Latvia, and Poland with narratives critical of the North Atlantic Treaty Organization’s (NATO) presence in Eastern Europe, occasionally leveraging other themes such as anti-U.S. and COVID-19-related narratives as part of this broader anti-NATO agenda. We have dubbed this campaign “Ghostwriter.””</I>
|
||
|
||
* **incident type**: campaign
|
||
|
||
* **Year started:** 2020.0
|
||
|
||
* **Countries:** Belarus , Lithuania, Latvia, Poland
|
||
|
||
* **Found via:**
|
||
|
||
* **Date added:** 2024-03-12
|
||
|
||
|
||
| Reference | Pub Date | Authors | Org | Archive |
|
||
| --------- | -------- | ------- | --- | ------- |
|
||
| [https://www.mandiant.com/resources/blog/ghostwriter-influence-campaign](https://www.mandiant.com/resources/blog/ghostwriter-influence-campaign) | 2020/07/28 | Lee Foster, Sam Riddell, David Mainor, Gabby Roncone | Mandiant | [https://web.archive.org/web/20240621162043/https://cloud.google.com/blog/topics/threat-intelligence/ghostwriter-influence-campaign/](https://web.archive.org/web/20240621162043/https://cloud.google.com/blog/topics/threat-intelligence/ghostwriter-influence-campaign/) |
|
||
|
||
|
||
|
||
| Technique | Description given for this incident |
|
||
| --------- | ------------------------- |
|
||
| [T0097.110 Party Official Persona](../../generated_pages/techniques/T0097.110.md) | IT00000215 _”Overall, narratives promoted in the five operations appear to represent a concerted effort to discredit the ruling political coalition, widen existing domestic political divisions and project an image of coalition disunity in Poland. In each incident, content was primarily disseminated via Twitter, Facebook, and/ or Instagram accounts belonging to Polish politicians, all of whom have publicly claimed their accounts were compromised at the times the posts were made."_ <br /> <br />This example demonstrates how threat actors can use compromised accounts to distribute inauthentic content while exploiting the legitimate account holder’s persona (T0097.110: Party Official Persona, T0143.003: Impersonated Persona, T0146: Account Asset, T0150.005: Compromised Asset). |
|
||
|
||
|
||
DO NOT EDIT ABOVE THIS LINE - PLEASE ADD NOTES BELOW |