Security researchers have found signs that the pervasive hacking and misinformation campaign comes not from Moscow but from Minsk.
For at least four years, the hacking and disinformation group known has Ghostwriter has plagued countries in Eastern Europe and the Baltics. Given its methods—and its anti-NATO and anti-US messages—the widely held assumption has been that Ghostwriter is yet another Kremlin-led campaign. The European Union even declared at the end of September that some member states have “associated” Ghostwriter “with the Russian state.” As it turns out, that’s not quite right. According to the threat intelligence firm Mandiant, Ghostwriter’s hackers work for Belarus.
Mandiant first took a close look at Ghostwriter in July 2020. The group was then primarily known for creating and distributing fake news articles and even hacking real news sites to post misleading content. By April 2021, Mandiant attributed broader activity to Ghostwriter, including operations to compromise the social media accounts of government officials to spread misinformation and efforts to target politicians with hacking and leaking operations. The group has long focused on undermining NATO’s role in Eastern Europe, and has increasingly turned to stoking political divides or instability in Poland, Ukraine, Lithuania, Latvia, and Germany.