Group behind cyberattacks on multiple governments linked to Belarus

Hacking and disinformation groups believed to be behind attacks on governmental agencies in countries including Germany in recent months were linked by cybersecurity researchers on Tuesday to the Belarusian government.

Researchers for cybersecurity company Mandiant made the attribution as part of a new report, assessing with “high confidence” that the activity of what has been labeled the “Ghostwriter” information campaign was “aligned with Belarusian government interests.”

A cyber espionage group, which Mandiant labeled “UNC1151,” was also linked to the Belarusian government. Mandiant in April had reported that UNC1151 was helping conduct Ghostwriter influence operations. 

Targets of UNC1151 have included government and private sector groups in Lithuania, Latvia, Poland, Ukraine and Germany, with UNC1151 going after Belarusian journalists, dissidents and media entities with a focus on stealing confidential information. Mandiant noted that while UNC1151 has targeted former Soviet nations, it had not gone after any state entities in either Russia or Belarus. 

The Ghostwriter campaign was previously linked by officials to the Russian government, including the European Union, which formally called out Russia for the attacks on members of Parliament, government officials and others in EU member states.

The Associated Press reported in September that the German government was formally blaming Russia’s GRU intelligence service for targeting German lawmakers ahead of the country’s elections.

Mandiant researchers on Tuesday stressed that while “we cannot rule out Russian contributions … at this time, we have not uncovered direct evidence of such contributions.”

This is a change from last year, when Mandiant put out a report attributing Ghostwriter to influence campaigns targeting audiences in Latvia, Lithuania and Poland and noting the campaign was “aligned with Russian security interests.” These efforts were aimed at promoting negative narratives around NATO, of which Belarus is not a part. 

But as of Tuesday, Mandiant researchers were confident in attributing the activity to Belarus and noted that “sensitively sourced technical evidence indicates that the operators behind UNC1151 are likely located in Minsk, Belarus,” with researchers directly observing links to the Belarusian military. 

The researchers also found that Ghostwriter influence operations had changed from anti-NATO sentiments to attempting to stir up problems between the Polish and Lithuanian governments, particularly since the disputed Belarusian 2020 presidential election. 

Both Poland and Lithuania have condemned the government of Belarusian President Alexander Lukashenko, who was reelected in a widely disputed vote that has seen many countries refuse to recognize him as president. 

“The countries targeted by the majority of UNC1151 operations have strained bilateral relationships with Belarus,” the researchers wrote. “While some of the countries have consistent targets of Russian cyber espionage, the specific mix supports as Belarusian nexus.”