Mandiant Attributes Ghostwriter APT Attacks to Belarus


Level 83
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
The Belarusian government is at least partially responsible for the Ghostwriter disinformation campaign, according to security researchers at the Mandiant Threat Intelligence team.

The Ghostwriter disinformation campaign was initially detailed in July 2020, when it was attributed to Russian threat actors. The campaign initially targeted audiences in Lithuania, Latvia, and Poland with NATO-related themes, but has expanded with new narratives since October 2020.

In a report published Tuesday, Mandiant's researchers drew a connection between the threat actor behind Ghostwriter, which has been tracked as UNC1151, and the Belarusian government, saying that Belarus is at least partially responsible for the campaign.

“We cannot rule out Russian contributions to either UNC1151 or Ghostwriter. However, at this time, we have not uncovered direct evidence of such contributions,” the company said.

UNC1151 has been observed targeting both government and private organizations, mainly focusing on those in Germany, Lithuania, Latvia, Poland, and Ukraine. Additionally, the adversary has targeted Belarusian dissidents, journalists, and media entities.