Enlarge / Ukrainian soldiers sit on an armored military vehicle in Sievierodonetsk on April 7, 2022, amid Russia’s invasion of Ukraine.
Facebook today reported an increase in attacks on accounts run by Ukraine military personnel. In some cases, attackers took over accounts and posted “videos calling on the Army to surrender,” but Facebook said it blocked sharing of the videos.
Specifically, Facebook owner Meta’s Q1 2022 Adversarial Threat Report said it has “seen a further spike in compromise attempts aimed at members of the Ukrainian military by Ghostwriter,” a hacking campaign that “typically targets people through email compromise and then uses that to gain access to their social media accounts across the Internet.” Ghostwriter has been linked to the Belarusian government.
“Since our last public update [on February 27], this group has attempted to hack into the Facebook accounts of dozens of Ukrainian military personnel,” Meta wrote today. Ghostwriter successfully hacked into the accounts in “a handful of cases” in which “they posted videos calling on the Army to surrender as if these posts were coming from the legitimate account owners. We blocked these videos from being shared.”
Ghostwriter links to Belarus government
In its February 27 update, Meta said it detected Ghostwriter’s “attempts to target people on Facebook to post YouTube videos portraying Ukrainian troops as weak and surrendering to Russia, including one video claiming to show Ukrainian soldiers coming out of a forest while flying a white flag of surrender.” Meta said it had “taken steps to secure accounts that we believe were targeted by this threat actor” and “blocked phishing domains these hackers used to try to trick people in Ukraine into compromising their online accounts.” But Ghostwriter continued its operations and hacked into accounts of Ukrainian military personnel, as previously mentioned.
The Ghostwriter name was first used by security firm Mandiant to describe an influence campaign that “promotes narratives critical of the North Atlantic Treaty Organization’s (NATO) presence in Eastern Europe.” Mandiant says the Ghostwriter campaign is conducted at least partly by “UNC1151, a suspected state-sponsored cyber espionage actor that engages in credential harvesting and malware campaigns.”
In November 2021, Mandiant said its research “assesses with high confidence that UNC1151 is linked to the Belarusian government… We cannot rule out Russian contributions to either UNC1151 or Ghostwriter. However, at this time, we have not uncovered direct evidence of such contributions.” Belarus has close ties to the Russian government and has supported the invasion of Ukraine.
An Insikt Group report said that the “lack of technical evidence indicating Russian involvement… is very likely an intended component of the threat activity. We have found many overlaps in tactics, techniques, and procedures (TTPs) used by UNC1151 and Ghostwriter activity and Russian threat activity groups. Additionally, we note that false flags are prevalent among Russian military advanced persistent threat groups.”