European Union formally blames Russia for the GhostWriter operation

Pierluigi Paganini September 25, 2021

European Union representatives formally accused Russia of attempting to target the elections and political systems of several EU states.

European Union has formally accused Russia of meddling in the elections and political systems of several EU states. EU high representative said that Russia-linked threat actors were behind a recent operation tracked as Ghostwriter.

The officials pointed out that these interferences are unacceptable because threaten the integrity and security of the targeted states, and pose risk to the EU democracies.

“Some EU Member States have observed malicious cyber activities, collectively designated as Ghostwriter, and associated these with the Russian state.” reads the announcement published by the European Union. “These malicious cyber activities are targeting numerous members of Parliaments, government officials, politicians, and members of the press and civil society in the EU by accessing computer systems and personal accounts and stealing data. These activities are contrary to the norms of responsible State behaviour in cyberspace as endorsed by all UN Member States, and attempt to undermine our democratic institutions and processes, including by enabling disinformation and information manipulation.”

In earlier August, security experts from FireEye have uncovered a disinformation campaign aimed at discrediting NATO by spreading fake news content on compromised news websites.

“The operations have primarily targeted audiences in Lithuania, Latvia, and Poland with anti-North Atlantic Treaty Organization (NATO) narratives, often leveraging website compromises or spoofed email accounts to disseminate fabricated content, including falsified correspondence from military officials” reads the report published by FireEye.

According to FireEye, the campaign, tracked as GhostWriter, has been ongoing since at least March 2017 and is aligned with Russian security interests.

Unlike other disinformation campaigns, GhostWriter doesn’t spread through social networks, instead, threat actors behind this campaign abused compromised content management systems (CMS) of news websites or spoofed email accounts to disseminate fake news.

The attackers used to replace existing legitimate articles on the sites with fake content, instead of creating new posts.

The attackers were spreading fabricated content, including falsified news articles, quotes, correspondence, and other documents designed to appear as coming from military officials and political figures in the target countries.

According to the experts, the campaign primarily targeted audiences in specific states members of the alliance, including Lithuania, Latvia, and Poland.

Ghostwriter operators focused on spreading fabricated quotes, such as a quote falsely attributed to the commander of the NATO eFP Battle Group that was used to push a narrative that 21 Canadian soldiers stationed in Latvia had been infected with COVID-19.

Another piece of fabricated content was a letter presented as to be authored by NATO Secretary General Jens Stoltenberg, which was written to bolster a narrative suggesting that the Atlantic alliance was planning to withdraw from Lithuania in response to the COVID-19 pandemic

This summer the GhostWriter operations began targeting Germany, multiple Bundestag members and tens of state parliamentarians were hit by Russia-linked nation-state actors. Early September, Germany has formally protested to Russia over a series of cyber attacks aimed at stealing data from lawmakers that could be used to arrange disinformation campaigns before the upcoming German election.

The spokeswoman for the Foreign Ministry, Andrea Sasse, said that threat actor tracked as Ghostwriter has been “combining conventional cyberattacks with disinformation and influence operations.” in attacks against Germany.

The alleged state-sponsored hackers conducted phishing attacks against federal and state lawmakers to steal their personal login details.

Russia always denied its involvement in GhostWriter attacks, but at this time has yet to respond to the EU’s latest statement.

“The European Union and its Member States strongly denounce these malicious cyber activities, which all involved must put to an end immediately. We urge the Russian Federation to adhere to the norms of responsible state behaviour in cyberspace.” concludes the announcement. “The European Union will revert to this issue in upcoming meetings and consider taking further steps.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, European Union)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment