‘Ghostwriter’ disinformation campaign rages on as Biden prepares for NATO trip
For over a year, Stanislaw Zaryn, a Polish government official, has not been shy about exposing what he says are suspected Russian attempts to interfere in Polish politics.
Zaryn has posted screenshots on Twitter of fake accounts and slapped a blaring “Disinformation” label on them. He has called out a forged letter that criticized the U.S. troop presence in Poland.
But a study published by security firm FireEye on Wednesday makes clear that the propaganda flagged by Zaryn is but one front in a multi-pronged information operations effort aimed at sowing political discord in multiple NATO countries.
FireEye has linked more than 30 such incidents in Lithuania, Latvia, Germany and elsewhere in the last five years to a previously disclosed, ongoing influence campaign it calls Ghostwriter. That includes more than 20 newly discovered Ghostwriter incidents since an initial FireEye report last summer, including one as recent as last month.
The attackers are expanding the techniques they use to plant phony narratives, directly hacking social media accounts rather than just compromising websites or spoofing emails, according to FireEye. And the firm is warning that such tactics could easily be used to target U.S. audiences.
“Eastern Europe has often been a kind of test bed for influence activity and espionage activity … that have then migrated elsewhere,” said Lee Foster, FireEye’s senior manager for information operations analysis. “These types of tactics are readily deployable elsewhere.”
FireEye says the influence campaign aligns with the security interests of Russia, which sees NATO as a threat. But the cybersecurity firm said it did not have the data to attribute the activity to a particular government.
The Ghostwriter activity is the kind of foreign disinformation that Joe Biden will be up against as he prepares to make his first overseas trip as U.S. president in June. Biden will attend a NATO summit in Brussels where is expected to reaffirm the U.S. commitment to the transnational bloc.
NATO has long been a fixation for Ghostwriter operatives. They forged a letter last year from the NATO secretary general to Lithuania’s defense ministry purporting to announce the withdrawal of NATO troops from that country. But the attackers have also veered into pure domestic politics by hacking Polish politicians’ Twitter, Facebook and Instagram accounts to smear them or to attack social activists in Poland, according to FireEye.
Zaryn, a spokesman for the Minister-Special Services Coordinator, which oversees Polish security agencies, told CyberScoop that a range of Polish cyber, military and security agencies have been closely monitoring the Ghostwriter campaign and “exchanging views and assessments” on the matter. “Indeed, there have been some instances where hackers compromised [Twitter or Facebook] accounts of some Polish officials, clearly in an attempt to smear or denigrate them, but the effect was scarce,” Zaryn said in an email.
The influence campaign appears to have a mixed record of gaining circulation with its target audiences. Three Polish websites picked up the forged letter assailing the U.S. military presence in Poland. But Latvian media have mocked “Edgars Palladis,” a fake blogger apparently created by the Ghostwriter operatives.
Mike Collier, an editor at the English edition of Latvia’s public broadcasting service, posted a bumbling message that Palladis wrote to the news outlet claiming an outbreak of coronavirus among Canadian military personnel in Latvia.
“It took something between 1 and 2 seconds to decide this was a load of horse—,” Collier wrote.
Palladis’ online footprint lives on. A Change.org petition in that name that CyberScoop reviewed calls for signatories to “make Europe free from the American threat!”
Even if the Palladis efforts were a flop, analysts caution that it would be a mistake to underestimate the broader intent of the Ghostwriter campaigns. A reminder came last month when the German parliament acknowledged that hackers had targeted the accounts of lawmakers six months before a federal election. A spokesperson for the German parliament did not name the culprit, but FireEye says it was part of the Ghostwriter activity.