• About Us
  • Contact
  • Careers
  • Send Us a Tip
Menu
  • About Us
  • Contact
  • Careers
  • Send Us a Tip
CyberNews logo
Newsletter
  • Home
  • News
  • Editorial
  • Security
  • Privacy
  • Resources
Menu
  • Home
  • News
  • Editorial
  • Security
  • Privacy
  • Resources
CyberNews logo

Home » Privacy » Ghostwriter campaign: how my name was stolen for an information operation

Ghostwriter campaign: how my name was stolen for an information operation

by Vilius Petkauskas
21 December 2020
in Privacy
0
Ghostwriter campaign: how my name was stolen for an information operation
197
SHARES

An online copy of me lied to the world that NATO troops are being withdrawn from my home country. My credentials were used as a vehicle to disseminate a forged letter by the head of the Alliance, Jens Stoltenberg, claiming NATO is withdrawing due to COVID-19. Months later, online remnants of the attack remain unscathed.

Late in the evening on April 21 of this year, just as I was coming home after a much needed quarantine stroll, my phone rang. “Your identity was used in an information attack,” a representative of the military communications department informed me calmly. 

The representative told me that someone had used an email address bearing my name to send copies of a fake letter that was full of falsehoods. Additionally, someone had set up a Blogspot account in my name to spread these falsehoods. Not only did the mysterious perpetrator or perpetrators use my name for the blog, but it linked to real articles I’ve actually written in order to make the blog look more plausible.

The attackers had also uploaded a fake video of a breaking news story about NATO withdrawing from the Baltics on YouTube and Liveleak with links to “my” blog. A number of articles appeared in English media outlets that I’d never heard of. “Nothing to worry about, these things happen,” the voice explained.

As I rushed to my laptop, eager to see what had happened, droves of thoughts went through my head. Is this a joke, or am I being hacked? When was the last time I changed my key passwords? Who did it and how do I stop it? Am I in danger?

A print screen of a faked blogspot entry in my name

At the time of the attack, I was a fact-checker and my key responsibility was to implement Facebook’s third party fact-checking program. This meant flagging false content by using a tool the company’s engineers provided.

Because I was the only journalist with this responsibility in the Baltics in the midst of a raging tsunami of lies surrounding the pandemic, I was no stranger to anonymous threats and other forms of online bullying and intimidation. Someone stealing my name, however, was very new and at that moment, very scary.

Ghostwriter campaign

What happened to me got a name late July this year. Mandiant, a cybersecurity company owned by FireEye, dubbed the string of events spanning for over three years the “Ghostwriter” influence campaign, a type of information attack or IO for short.

A report on the campaign claims that “the campaign leverages traditional cyber threat activity and information operations tactics to promote narratives intended to chip away at NATO’s cohesion and undermine local support for the organization in Lithuania, Latvia, and Poland.”

According to the report, the perpetrators’ goals align closely with Russia’s security interests. They leverage website compromises or spoofed email accounts to disseminate fabricated content. Legitimate news websites that accept user created content with little to no due diligence were also employed to carry out these operations. Usually, these operations are coordinated with multiple pieces of false information that is published simultaneously.

“The campaign leverages traditional cyber threat activity and information operations tactics to promote narratives intended to chip away at NATO’s cohesion.”

The Mandiant report

The most common tactic of the campaign was to use fabricated quotes and documents to push a narrative designed to undermine NATO’s presence in Eastern Europe. This would include, for example, using a compromised local media outlet to publish an outrageously false story about foreign troops desecrating a local Jewish cemetery. 

Generally, fake government officials and journalists are invented for the sole purpose of dispersing false information in local languages and English, thus the name of the campaign — “Ghostwriter.”

However, at times the names of real people are employed, with the aim of fooling recipients into believing the information is real. And what better way to trick someone than using the identity of a fact-checker.

Undesired popularity

Immediately after publishing an article warning readers about the fake document, I started frantically searching for my name using every search engine I could think of. Somewhat ironically, my name had achieved international “recognition” without my help. 

Several minutes later, I stumbled upon articles supposedly written by me on OpEdNews.com, BalticWord.com, TheDuran.com, ivn.us, poal.co and other outlets. I also found a video on YouTube and Liveleak supposedly uploaded by me. 

A print screen of one of the fake articles with my credentials and a photo

With both the fake articles and videos, a description under my name contained links to my employer’s website and a fake blogspot.com page with my name, surname and photo.

Since I used the same picture for many of my professional accounts, I feared that anyone who tried to Google me would have believed that I was actually the one who had sent an email with a forged letter by Mr. Stoltenberg.

Soon enough, my fears proved to be true. An unusually high number of notifications for views on my LinkedIn started popping up in my email. None of the views made any sense, since they originated primarily from users based in Brussels. 

One of my former university classmates told me the next day that a forged letter with an email bearing my name was being circulated among Brussels-based journalists. And as any journalist would, they Googled the name and were directed to my LinkedIn page. 

Thankfully, all this ruckus was in vain. The Lithuanian Ministry of Defence quickly dismissed the story as false and so did the local media. The story got no traction locally or internationally, and hopefully only a small number of people were tricked into believing the forgery. 

A print screen of one of the fake articles with my credentials

‘Readily employable’

Only the next day did I notice that the previous morning someone with an IP from Argentina tried to log in to at least two email accounts I own. An adrenaline rush from an unexpected phone call probably clouded my attention. A not-so-recent decision to employ two factor authentication (2FA) likely saved me from consequences I don’t want to even think about.

There was enough hassle with the situation already on hand: an annoyingly slow complaint procedure with YouTube, uncooperativeness of shady websites with fake articles with my credentials, a complete wall of silence from Blogspot, and a lack of interest by the police. I truly felt like a ghost: trying to be heard, but to no avail.

No matter the effort to reduce the damage of the attack, traces of my faked credentials still roam the internet, serving as a reminder of the day my name outgrew me and started a life of its own.

Irritating as it was, at least there was no real damage since I am no international star. However, as  Lee Foster, Senior Manager of Information Operations Intelligence Analysis at FireEye discussed on the Eye on Security podcast covering the Ghostwriter campaign, these types of IO tactics are readily employable anywhere around the globe.

Who knows what goals a well crafted IO campaign can achieve with advances in AI-assisted deepfake technology, the stolen credentials of a well-known face, and a bit of tainted luck. One thing is clear, however: we will eventually find out, sooner rather than later, as governments and nonstate actors learn to employ such tactics.

Share197TweetShareShare

Related Posts

Uploading on mobile screen and Data Protection on desktop screen

Privacy and data protection trends in 2021

20 January 2021
An unintended consequence: can deepfakes kill video evidence?

An unintended consequence: can deepfakes kill video evidence?

14 January 2021
Red Personal data drawer

Is your data your personal property?

13 January 2021
Data collection cheat sheet: how Parler, Twitter, Facebook, MeWe’s data policies compare

Data collection cheat sheet: how Parler, Twitter, Facebook, MeWe’s data policies compare

12 January 2021
Next Post
‘Dozens of email accounts’ were hacked at U.S. Treasury

'Dozens of email accounts' were hacked at U.S. Treasury

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

I agree to the Terms & Conditions and Privacy Policy.

Popular News

  • 70TB of Parler users’ messages, videos, and posts leaked by security researchers

    70TB of Parler users’ messages, videos, and posts leaked by security researchers

    83053 shares
    Share 83043 Tweet 0
  • The ultimate guide to safe and anonymous online payment methods in 2021

    13 shares
    Share 13 Tweet 0
  • 8 best cybersecurity podcasts for 2021

    56 shares
    Share 56 Tweet 0
  • Walmart-exclusive router and others sold on Amazon & eBay contain hidden backdoors to control devices

    13365 shares
    Share 13361 Tweet 0
  • Network Attached Storage

    0 shares
    Share 0 Tweet 0
Wall Street vs Main Street fight quashes hedge funds as GameStop keeps rallying

Wall Street vs Main Street fight quashes hedge funds as GameStop keeps rallying

27 January 2021
Google to stop using Apple tool to track iPhone users, avoiding new pop-up warning

Google to stop using Apple tool to track iPhone users, avoiding new pop-up warning

27 January 2021

‘World’s most dangerous malware’ Emotet disrupted

27 January 2021
The satellite-hacker’s guide to the space industry: don’t panic (yet)

The satellite-hacker’s guide to the space industry: don’t panic (yet)

27 January 2021
Man in front of multiple computers

North Korea has been targeting threat researchers

27 January 2021
GameStop extends Reddit driven hyper-rally after Musk tweet

GameStop extends Reddit driven hyper-rally after Musk tweet

27 January 2021
Newsletter

Subscribe for security tips and CyberNews updates.

Email address is required. Provided email address is not valid. You have been successfully subscribed to our newsletter!
Categories
  • News
  • Editorial
  • Security
  • Privacy
  • Resources
  • VPNs
  • Password Managers
  • Secure Email Providers
  • Antivirus Software Reviews
Tools
  • Personal data leak checker
  • Strong password generator
About Us

We aim to provide you with the latest tech news, product reviews, and analysis that should guide you through the ever-expanding land of technology.

Careers

We are hiring.

  • About Us
  • Contact
  • Send Us a Tip
  • Privacy Policy
  • Terms & Conditions
  • Vulnerability Disclosure

© 2021 CyberNews

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy Policy.

Home

News

Editorial

Security

Privacy

Resources

  • About Us
  • Contact
  • Careers
  • Send Us a Tip

© 2020 CyberNews – Latest tech news, product reviews, and analyses.

Subscribe for Security Tips and CyberNews Updates
Email address is required. Provided email address is not valid. You have been successfully subscribed to our newsletter!