Ghostwriter (hacker group)

Ghostwriter
Formation	c. 2016
Type	Minsk, Belarus
Region	Belarus
Methods	phishing
Affiliations	Armed Forces of Belarus

Ghostwriter, also known as UNC1151 and Storm-0257 by Microsoft,^[2] is a hacker group allegedly originating from Belarus. According to the cybersecurity firm Mandiant, the group has spread disinformation critical of NATO since at least 2016.^[3]

History

The name Ghostwriter comes from the group's first attacks, whereby they would steal credentials of journalists or publishers and publish fake articles using those credentials. Hence, the group effectively became unwanted

ghostwriters for those with stolen credentials.^[4] UNC1151 is an internal company name by Mandiant given to uncategorized groups of "cyber intrusion activity."^[5]

The European Union has blamed this group for hacking German government officials.

EU's foreign policy chef Josep Borrell has threatened Russia for sanctions.^[6]

According to Serhiy Demedyuk, deputy secretary of the national security and defense council of Ukraine, the group was responsible for defacement of Ukrainian government websites in January 2022.^[7]

In February 2022

invasion of Ukraine.^[8] Mandiant said that two domains mentioned by the CERT, i[.]ua-passport[.]space and id[.]bigmir[.]space were known command and control domains of the group.^[8] Mandiant also said "We are able to tie the infrastructure reported by CERT.UA to UNC1151, but have not seen the phishing messages directly. However, UNC1151 has targeted Ukraine and especially its military extensively over the past two years, so this activity matches their historical pattern."^[8]^[7]

Characteristics and techniques

The group has executed

spear-phishing campaigns against members of legitimate press to infiltrate the content management systems of those organizations. Then, the group uses the system to publish their own fake stories.^[9]

References

^ ^a ^b Satter, Raphael (2022-02-25). "Ukraine says its military is being targeted by Belarusian hackers". Reuters. Retrieved 2022-03-07.
^ "How Microsoft names threat actors". Microsoft. Retrieved 21 January 2024.
^ "Ghostwriter Update: Cyber Espionage Group UNC1151 Likely Conducts Ghostwriter Influence Activity | Mandiant". www.mandiant.com. Retrieved 2022-03-02.
^ "'Ghostwriter' Influence Campaign" (PDF). FireEye. Retrieved 5 March 2022.
^ "DebUNCing Attribution: How Mandiant Tracks Uncategorized Threat Actors | Mandiant". www.mandiant.com. Retrieved 2022-03-07.
^ "EU threatens sanctions on Russia over 'malicious cyber activities'". euronews. 2021-09-24. Retrieved 2021-09-24.
^ ^a ^b Polityuk, Pavel (2022-01-16). "EXCLUSIVE Ukraine suspects group linked to Belarus intelligence over cyberattack". Reuters. Retrieved 2022-03-07.
^ ^a ^b ^c Corfield, Gareth (2022-02-25). "Ukraine seeks volunteers to defend networks as Russian troops menace Kyiv". The Register. Retrieved 2022-02-26.
ISSN 1059-1028
. Retrieved 2022-03-02.

v
t
e
Hacking in the 2020s
← 2010s Timeline 2030s →
Major incidents
2020

BlueLeaks

Twitter account hijacking

European Medicines Agency data breach

Nintendo data leak

United States federal government data breach

EasyJet data breach

Vastaamo data breach

2021

Microsoft Exchange Server breach

Ivanti Pulse Connect Secure data breach

Colonial Pipeline ransomware attack

Health Service Executive ransomware attack

Waikato District Health Board ransomware attack

JBS S.A. ransomware attack

Kaseya VSA ransomware attack

Transnet ransomware attack

Epik data breach

FBI email hack

National Rifle Association ransomware attack

Banco de Oro hack

2022

Ukraine cyberattacks

Red Cross data breach

Anonymous and the Russian invasion of Ukraine

Viasat hack

DDoS attacks on Romania

Costa Rican ransomware attack

LastPass vault theft

Shanghai police database leak

Grand Theft Auto VI content leak

2023

Munster Technological University ransomware attack

Evide data breach

MOVEit data breach

Insomniac Games data breach

Polish railway cyberattack

British Library cyberattack

2024

XZ Utils backdoor

Groups

Anonymous
associated events

Anonymous Sudan

Berserk Bear

Clop

Cozy Bear

DarkMatter

DarkSide

Dridex

Ghostwriter

GnosticPlayers

Guacamaya

Hafnium

IT Army of Ukraine

Killnet

Lapsus$

LightBasin

Lockbit

REvil

Sandworm

Sakura Samurai

ShinyHunters

Wizard Spider

Individuals

Graham Ivan Clark

maia arson crimew

Kirtaner

Major vulnerabilities
publicly disclosed

SMBGhost (2020)

Thunderspy (2020)

PrintNightmare (2021)

FORCEDENTRY (2021)

Log4Shell (2021)

Account pre-hijacking (2022)

Retbleed (2022)

Downfall (2023)

LogoFAIL (2023)

Reptar (2023)

Terrapin (2023)

GoFetch (2024)

Malware
2020

Adrozek

Drovorub

2021

Predator

2022

Cyclops Blink

Pipedream

This computer security article is a stub. You can help Wikipedia by expanding it.
v
t
e

Retrieved from "https://en.wikipedia.org/w/index.php?title=Ghostwriter_(hacker_group)&oldid=1197569859"

[reuters20220225-1] Satter, Raphael (2022-02-25). "Ukraine says its military is being targeted by Belarusian hackers". Reuters. Retrieved 2022-03-07.

[ms-threat-actors-24-2] "How Microsoft names threat actors". Microsoft. Retrieved 21 January 2024.

[mandiant-3] "Ghostwriter Update: Cyber Espionage Group UNC1151 Likely Conducts Ghostwriter Influence Activity | Mandiant". www.mandiant.com. Retrieved 2022-03-02.

[4] "'Ghostwriter' Influence Campaign" (PDF). FireEye. Retrieved 5 March 2022.

[5] "DebUNCing Attribution: How Mandiant Tracks Uncategorized Threat Actors | Mandiant". www.mandiant.com. Retrieved 2022-03-07.

[6] "EU threatens sanctions on Russia over 'malicious cyber activities'". euronews. 2021-09-24. Retrieved 2021-09-24.

[polityuk-7] Polityuk, Pavel (2022-01-16). "EXCLUSIVE Ukraine suspects group linked to Belarus intelligence over cyberattack". Reuters. Retrieved 2022-03-07.

[tr-ukraine-seeks-volunteers-to-defend-networks-8] Corfield, Gareth (2022-02-25). "Ukraine seeks volunteers to defend networks as Russian troops menace Kyiv". The Register. Retrieved 2022-02-26.

[9] ISSN 1059-1028
. Retrieved 2022-03-02.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]