Belarusian hackers try to crack down on Ukrainian military profiles to expose lies

Facebook has found an increase in attempts by hackers to account for Ukrainian soldiers and officers. The social network points to a group called “Ghostwriter” as the main culprit known by the cyber security community as being in the interests of the Belarusian government. Their purpose is to control the accounts and expose the disinformation that these soldiers present, especially the fake videos.

“This group tried to hack the Facebook accounts of dozens of Ukrainian servicemen. In some cases, they posted videos calling for the military to resign, as if these posts were coming from legitimate account holders. “We have blocked the release of these videos,” the network company warned in a quarterly report about malicious activity on its platforms, which was released on Thursday.

Ghostwriter’s tactics are usually to compromise victims through email phishing, giving them access to sensitive data and passwords that they use to access social media accounts. Cybersecurity firms such as Mandiant (now independent and recently acquired by Google for $ 5 billion) have been monitoring the group for several years and have found a connection between the Ghostwriter and the Belarusian government, led by Alexander Lukashenko.

The link between the two is UNC1151, the code name for a professional cyber attack organization that is “highly trusted” by “affiliates of the Government of Belarus”. For its part, UNC1151 provides technical support to the Ghostwriter tion Operations Campaign, according to a November 2021 pre-war investigation by Mandiant: He is also likely to be partly responsible for the Ghostwriter campaign. ”

Belarus is also likely to be at least partially responsible for the Ghostwriter campaign.

“We can not rule out Russia’s contribution to UNC1151 or Ghostwriter. However, so far we have not found any direct evidence of such a contribution, “said the cyber security firm.

On February 26, just hours after the end of the Russian invasion of Ukraine, Facebook warned that it had found an increase in Ghostwriter activity on its platforms. Now he reflects that his shares have not increased in the coming weeks. In those early days, the group used access to Ukrainian military accounts to expose misinformation about their alleged resignation in battle, such as “a video claiming Ukrainian soldiers coming out of the forest while waving a white flag.”

Facebook says it “took action” on the accounts of Ukrainian soldiers who had been compromised by the Ghostwriter and warned “users that they were the target.” “We have also blocked phishing domains used by these hackers to deceive people in Ukraine into their accounts.

Hackers for political purposes

Unlike other mafias operating from Russia and on the Kremlin side since the start of the war, Ghostwriter is not economically motivated but politically motivated. By the summer of 2020, the group was “mainly disseminating anti-NATO narratives that appeared to be aimed at undermining regional security cooperation in targeted operations in Lithuania, Latvia and Poland,” the Mandiant report said.

This work was based on “spreading misinformation that portrays the presence of foreign troops in the region as a threat to the population and argues that the costs of NATO membership are detrimental to the local population,” the firm continued, noting that these narratives could serve both Russian and Belarusian interests. “However, we note that the campaign is specifically aimed at audiences in the countries bordering Belarus,” they said, citing the fact that the group had missed Estonia, which has no border with Belarus but is a Baltic state. And a NATO member, “the relevant component of any concerns about NATO’s security position on its eastern flank.”

After the 2020 elections in Belarus, when Lukashenko was on the verge of losing power, “the Ghostwriter’s operations more clearly coincided with Minsk’s interests.” The group focused on discrediting the Belarusian opposition and spreading corruption scandals in the ruling parties in Poland and Lithuania, which strongly condemned Lukashenko’s crackdown on protesters, as well as his maneuvering in power, which has remained in power since 1994.

“Narratives of ghost writers, especially critical narratives of neighboring governments, have appeared on Belarusian state television as fact,” he said, referring to the use of hacking tactics to spread misinformation through social media accounts. In addition, we have seen that Telegram channels favorable to the Government of Belarus regularly send or quote the Russian-language Telegram channel that we have attributed to Ghostwriter.

A fake NGO condemning Ukraine’s attacks on civilians

Facebook’s quarterly reports of malicious activity on its platforms reflect all of the company’s actions to eliminate influence transactions for both political and economic purposes. His analyzes are global and PP also appeared in them, through false reports to neutralize the vote of the left in the 2019 elections revealed by the author of a disinformation campaign todaytimeslive.com. However, most of the networks he deactivates are Russia and the Internet Research Agency (IRA), headed by Eugene Prigogine, a businessman very close to Putin.

In the aftermath of the invasion, in its articles, Russia’s attack blames NATO and the West, and accuses Ukrainian forces of targeting civilians.

The document for the first three months of 2022 also includes new attempts by the IRA to carry out disinformation operations on Facebook. “We have identified and thwarted an attempt by the network in December 2020 to bring back individuals related to the IRA’s past activities,” the report said. An organization focused on civil rights in the West. ”

“They tried unsuccessfully to create Facebook accounts in late 2021 and January 2022. In January and February of this year, the website published articles about police violence in the West, but after the invasion, in their articles, they blamed Russia for its attack on NATO and the West. And accused Ukrainian forces of targeting civilians.