Anti-NATO Disinformation Campaign Leveraged CMS Compromises

NATO disinformation campaign

Researchers uncovered a disinformation campaign aiming to discredit NATO via fake news content on compromised news websites.

Researchers have uncovered a widespread influence campaign that aims to discredit the Northern Atlantic Treaty Organization (NATO), an intergovernmental military alliance between 30 North American and European countries.

According to new research from FireEye, the campaign has been ongoing since at least March 2017. The influence campaign does not merely spread false news content on social media platforms such as Twitter and Facebook, as other disinformation campaigns have done. Instead, it goes a step further. The attackers reportedly compromised news website content management systems (CMS) to manipulate content, spreading reports of falsified correspondence from military officials, fake quotes from political figures and more.

The operations primarily targeted audiences in Lithuania, Latvia, and Poland, which are all members of NATO. Researchers assess with “moderate confidence” that the operations are aligned with Russian security interests – However, they said that at this time they are not attributing the campaign to a specific actor or group of actors.

“We have dubbed this campaign ‘Ghostwriter,’ based on its use of inauthentic personas posing as locals, journalists, and analysts within the target countries to post articles and op-eds referencing the fabrications as source material to a core set of third-party websites that publish user-generated content,” according to FireEye researchers in a Thursday analysis.

Researchers said that they uncovered a slew of false news articles, quotes, correspondence and other documents that were designed to appear as coming from military officials and political figures in the targeted countries.

One such quote, for instance, was falsely attributed to the commander of the NATO eFP Battle Group. The quote was used to push a narrative that Canadian soldiers stationed in Latvia had been diagnosed with COVID-19, aiming to spread fears that despite the outbreak of coronavirus, NATO troops continue to enter and leave Latvia.

This quote (“Yes, 21 soldiers have tested positive for the virus. We have taken the necessary security measures, but not everyone has the same immunity. All necessary measures are being taken. The soldiers are isolated.”) was found on various news websites.

disinformation campaign

Credit: FireEye

Another piece of fabricated content was letter purporting to be authored by NATO Secretary General Jens Stoltenberg, which bolstered a narrative suggesting that NATO was planning to withdraw from Lithuania in response to the COVID-19 pandemic.

These false pieces of content were then sourced in material like articles and op-eds, authored by at least 14 inauthentic personas posing as locals, journalists, and analysts within those countries they said.

“These articles and op-eds, primarily written in English, have been consistently published to a core set of third-party websites that appear to accept user-submitted content, most notably,, and the pro-Russian site, among others, as well as to suspected Ghostwriter-affiliated blogs,” said researchers.

Researchers believe that some of the websites spreading content from the influence campaign were also compromised after attackers obtained the credentials of the news sites’ content management systems (CMS). Attackers are believes to have replaced existing legitimate articles on the sites with the fabrications, as opposed to creating new CMS entries. However, researchers noted that they have not independently confirmed these compromises and are relying on reporting by government entities and media outlets in the target countries.

“Many Ghostwriter operations have leveraged compromised websites, including legitimate news websites, to publish fabricated content, or used spoofed email accounts to engage in direct outreach and dissemination of content to NATO itself and national organizations and media outlets in the target countries,” said researchers.

The topic of disinformation and influence campaigns is slated to be a big topic this year at Black Hat USA 2020, with keynotes surrounding election security and COVID-19 disinformation over the past few months. Indeed with the November elections coming up, websites like Twitter, Facebook, Reddit, Google and more are under scrutiny for how they are handling disinformation campaigns. Last year, for instance, an influence operation that recycled old news about terror incidents and re-published them as if they were new was discovered on social media.

Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us  Wednesday Aug. 12 at 2pm ET for this FREE live webinar.

Suggested articles