EU: Russia Behind ‘Ghostwriter’ Campaign Targeting Germany

It’s not the first time that the disinformation/spearphishing campaign, which originally smeared NATO, has been linked to Russia.

In the wake of cyberattacks targeting the recently held German elections, the European Union has blamed Russia for an ongoing disinformation campaign called “Ghostwriter.” Germany is the latest target in an effort that for years has tried to discredit NATO, and which has both smeared and cyberattacked Parliament members, other politicians and government officials, and journalists.

It’s not the first time the campaign has been attributed to Russia, but on Friday, the EU Council made the link official. From the press release:

“These malicious cyber-activities are targeting numerous members of Parliaments, government officials, politicians, and members of the press and civil society in the EU by accessing computer systems and personal accounts and stealing data.

“Such activities are unacceptable as they seek to threaten our integrity and security, democratic values and principles, and the core functioning of our democracies.” —EU Council’s Sept. 24 press release.

The Council noted that the actions attributed to Ghostwriter operators – actions that have included attempts to steal login credentials of German lawmakers to pull off identity theft before the Sept. 26 federal election, as well as a spearphishing attack that targeted multiple German Parliament members – run counter to what’s expected from a responsible state:

“These activities are contrary to the norms of responsible State behaviour in cyberspace as endorsed by all UN Member States, and attempt to undermine our democratic institutions and processes, including by enabling disinformation and information manipulation,” according to the press release.

Infosec Insiders Newsletter

“The European Union and its Member States strongly denounce these malicious cyber-activities, which all involved must put to an end immediately,” the release continued. “We urge the Russian Federation to adhere to the norms of responsible state behavior in cyberspace.”

Ghostwriter’s History

In July 2020, FireEye’s Mandiant threat-intelligence analysts reported that they’d uncovered a widespread influence campaign that was aiming to discredit NATO, the intergovernmental military alliance between 30 North American and European countries.

At the time, FireEye reported that the campaign had been ongoing since at least March 2017. It wasn’t just about spreading fake news on social-media platforms such as Twitter and Facebook, as other disinformation campaigns have done. Rather, the Ghostwriter threat actors went a step beyond, compromising news website content management systems (CMSes) and spoofing email accounts to spread cooked-up content, including fake correspondence from military officials and bogus quotes from political figures.

Earlier this month, German Foreign Ministry spokeswoman Andrea Sasse said that Ghostwriter has targeted the German parliament at least three times this year, “combining conventional cyberattacks with disinformation and influence operations.” Sasse added that activities targeting Germany have been observed “for some time.”

Sasse also said that ahead of Germany’s federal election on Sept. 26, Ghostwriter threat actors tried to steal login credentials of federal and state lawmakers so as to pull off identity theft.

Tied to Russia’s GRU Military Intel

Sasse said that the German government has “reliable information” that’s led it to conclude that Ghostwriter’s activities are tied “to cyber-actors of the Russian state and, specifically, Russia’s GRU military intelligence service,” referring to the General Staff Main Intelligence Directorate (GRU) arm of Russia’s military intelligence.

As far as the spearphishing attack goes, Der Spigel reported in March that personal email accounts belonging to seven members of the Bundestag (the German federal parliament) and 31 members of the state parliament were targeted. The lure: fake news about desecration of a Jewish cemetery.

The next month, in April, FireEye updated its original Ghostwriter report to add that the group had expanded its narratives; targeting; and tactics, techniques and procedures (TTP). Researchers said that recent operations had “heavily leveraged” compromised social-media accounts of right-wing Polish officials in order to “publish content seemingly intended to create domestic political disruption in Poland, rather than foment distrust of NATO.”

At the time, as FireEye explained, Ghostwriter operators appeared to have moved past using compromised websites and spoofed emails or posts from fake people. Instead, the threat actors apparently were using account credentials stolen from targets’ compromised email accounts.

The EU Council concluded its release by saying that it’s going to revisit the Ghostwriter issue in future meetings and may consider taking further steps against Russia.

Rule #1 of Linux Security: No cybersecurity solution is viable if you don’t have the basics down. JOIN Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the 4 Golden Rules of Linux Security. Your top takeaway will be a Linux roadmap to getting the basics right! REGISTER NOW and join the LIVE event on Sept. 29 at Noon EST. Joining Threatpost is Uptycs’ Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time.

Suggested articles