Ghostwriter campaign: how my name was stolen for an information operation

An online copy of me lied to the world that NATO troops are being withdrawn from my home country. My credentials were used as a vehicle to disseminate a forged letter by the head of the Alliance, Jens Stoltenberg, claiming NATO is withdrawing due to COVID-19. Months later, online remnants of the attack remain unscathed.

Late in the evening on April 21 of this year, just as I was coming home after a much needed quarantine stroll, my phone rang. “Your identity was used in an information attack,” a representative of the military communications department informed me calmly. 

The representative told me that someone had used an email address bearing my name to send copies of a fake letter that was full of falsehoods. Additionally, someone had set up a Blogspot account in my name to spread these falsehoods. Not only did the mysterious perpetrator or perpetrators use my name for the blog, but it linked to real articles I’ve actually written in order to make the blog look more plausible.

The attackers had also uploaded a fake video of a breaking news story about NATO withdrawing from the Baltics on YouTube and Liveleak with links to “my” blog. A number of articles appeared in English media outlets that I’d never heard of. “Nothing to worry about, these things happen,” the voice explained.

As I rushed to my laptop, eager to see what had happened, droves of thoughts went through my head. Is this a joke, or am I being hacked? When was the last time I changed my key passwords? Who did it and how do I stop it? Am I in danger?

At the time of the attack, I was a fact-checker and my key responsibility was to implement Facebook’s third party fact-checking program. This meant flagging false content by using a tool the company's engineers provided.

Because I was the only journalist with this responsibility in the Baltics in the midst of a raging tsunami of lies surrounding the pandemic, I was no stranger to anonymous threats and other forms of online bullying and intimidation. Someone stealing my name, however, was very new and at that moment, very scary.

Ghostwriter campaign

What happened to me got a name late July this year. Mandiant, a cybersecurity company owned by FireEye, dubbed the string of events spanning for over three years the “Ghostwriter” influence campaign, a type of information attack or IO for short.

A report on the campaign claims that “the campaign leverages traditional cyber threat activity and information operations tactics to promote narratives intended to chip away at NATO’s cohesion and undermine local support for the organization in Lithuania, Latvia, and Poland.”

According to the report, the perpetrators’ goals align closely with Russia’s security interests. They leverage website compromises or spoofed email accounts to disseminate fabricated content. Legitimate news websites that accept user created content with little to no due diligence were also employed to carry out these operations. Usually, these operations are coordinated with multiple pieces of false information that is published simultaneously.

"The campaign leverages traditional cyber threat activity and information operations tactics to promote narratives intended to chip away at NATO’s cohesion."

The Mandiant report

The most common tactic of the campaign was to use fabricated quotes and documents to push a narrative designed to undermine NATO's presence in Eastern Europe. This would include, for example, using a compromised local media outlet to publish an outrageously false story about foreign troops desecrating a local Jewish cemetery. 

Generally, fake government officials and journalists are invented for the sole purpose of dispersing false information in local languages and English, thus the name of the campaign -- “Ghostwriter.”

However, at times the names of real people are employed, with the aim of fooling recipients into believing the information is real. And what better way to trick someone than using the identity of a fact-checker.

Undesired popularity

Immediately after publishing an article warning readers about the fake document, I started frantically searching for my name using every search engine I could think of. Somewhat ironically, my name had achieved international “recognition” without my help. 

Several minutes later, I stumbled upon articles supposedly written by me on OpEdNews.com, BalticWord.com, TheDuran.com, ivn.us, poal.co and other outlets. I also found a video on YouTube and Liveleak supposedly uploaded by me. 

With both the fake articles and videos, a description under my name contained links to my employer’s website and a fake blogspot.com page with my name, surname and photo.

Since I used the same picture for many of my professional accounts, I feared that anyone who tried to Google me would have believed that I was actually the one who had sent an email with a forged letter by Mr. Stoltenberg.

Soon enough, my fears proved to be true. An unusually high number of notifications for views on my LinkedIn started popping up in my email. None of the views made any sense, since they originated primarily from users based in Brussels. 

One of my former university classmates told me the next day that a forged letter with an email bearing my name was being circulated among Brussels-based journalists. And as any journalist would, they Googled the name and were directed to my LinkedIn page. 

Thankfully, all this ruckus was in vain. The Lithuanian Ministry of Defence quickly dismissed the story as false and so did the local media. The story got no traction locally or internationally, and hopefully only a small number of people were tricked into believing the forgery. 

‘Readily employable’

Only the next day did I notice that the previous morning someone with an IP from Argentina tried to log in to at least two email accounts I own. An adrenaline rush from an unexpected phone call probably clouded my attention. A not-so-recent decision to employ two factor authentication (2FA) likely saved me from consequences I don’t want to even think about.

There was enough hassle with the situation already on hand: an annoyingly slow complaint procedure with YouTube, uncooperativeness of shady websites with fake articles with my credentials, a complete wall of silence from Blogspot, and a lack of interest by the police. I truly felt like a ghost: trying to be heard, but to no avail.

No matter the effort to reduce the damage of the attack, traces of my faked credentials still roam the internet, serving as a reminder of the day my name outgrew me and started a life of its own.

Irritating as it was, at least there was no real damage since I am no international star. However, as  Lee Foster, Senior Manager of Information Operations Intelligence Analysis at FireEye discussed on the Eye on Security podcast covering the Ghostwriter campaign, these types of IO tactics are readily employable anywhere around the globe.

Who knows what goals a well crafted IO campaign can achieve with advances in AI-assisted deepfake technology, the stolen credentials of a well-known face, and a bit of tainted luck. One thing is clear, however: we will eventually find out, sooner rather than later, as governments and nonstate actors learn to employ such tactics.