West in the dark about Ghostwriter misinformation campaign, claims report


Western countries simply cannot deal with a malicious hack-and-leak misinformation Ghostwriter campaign because they lack extensive knowledge about the operator behind it, a new report says.

This is worrying, findings from Cardiff University’s Security, Crime and Intelligence Innovation Institute show, as the campaign is widespread and manipulates factual information on an industrial scale.

Researchers have been tracking Ghostwriter via open-source data, demonstrating how it has impersonated multiple government officials, NATO representatives, and journalists across Europe.

ADVERTISEMENT

According to the team’s analysis, the group, banned from Meta platforms in 2022, has impacted thousands of email users, hacked dozens of social media accounts and media websites, and published hundreds of false blog posts.

In 2020, a Cybernews reporter had his own details hijacked by Ghostwriter, his name put to fake news stories declaring a NATO pullout from the Baltic region as a result of “COVID concerns.”

The group, believed to contain a mixture of Belarussian and Russian operators, has been active since 2016. There are obviously quite a few such pro-Kremlin hacktivists these days, especially after Russia attacked Ukraine a year ago – but Ghostwriter works on a higher level, the report says.

The group’s operations are timed and planned to coincide with important political events such as elections or military exercises. The fakes are usually convincing enough for targeted governments or politicians to publicly react to and rebut them.

ghosts-list
Ghostwriter's operations. Courtesy of Cardiff University.

According to the researchers, Ghostwriter uses both cyber and influence, or psyop, components in their operations – and that is why the group, even though it’s been pretty consistent over the years, is poorly understood. The West doesn't actually know who it is dealing with: is a certain country behind it, or is it an independent hacktivist collective?

“To date, much policy attention has centered on the [Russian] Internet Research Agency and its interference in the US election in 2016. Ghostwriter is an example of another persistent, large-scale, and well-resourced operation, but with very different tactics to the Internet Research Agency’s playbook,” said Anneli Ahonen, lead author of the report.

“Currently, cyber and influence operations are understood as separate fields, with distinct sets of expert knowledge. But the adversaries often don’t make similar distinctions between the two. A more coordinated approach, which brings together both areas of research, would be a more successful way of combatting disinformation and informing the public.”

ADVERTISEMENT

According to professor Martin Innes, director of the Security, Crime and Intelligence Innovation Institute, Western governments lack a comprehensive approach to the Ghostwriter problem because, so far, they have been analyzing different facets of the campaign and failing to see the bigger picture.

“Criminologists use the ‘term ‘linkage blindness’ to describe the problems that arise when different police agencies are all engaged in investigating the same persistent perpetrator, and each investigator has only a partial view of how and why the harmful act is being committed. This concept describes what has happened with the response to Ghostwriter,” said Innes.

Cardiff University’s analysis draws together the publicly available open-source evidence of 34 incidents attributed to the Ghostwriter campaign between the summer of 2016 and the summer of 2021, as well as official government communications, media reports, fact-checks and NGOs and think-tanks’ analysis.

The operation is still active and ongoing today. Most recently in January 2022, Ukraine provisionally connected a cyber-attack against dozens of government websites to UNC1151, the state-actor believed to conduct the cyber-activity behind the Ghostwriter campaign.

Back then, researchers in Ukraine claimed that the technical information pinned the operation HQ to the Belarusian capital Minsk. Belarus is a staunch ally of Russia.