BOSTON – Cybersecurity researchers say they have uncovered evidence that Belarus has been involved in a hybrid hacking and disinformation campaign against Eastern European NATO members since 2016 that aimed to sow discord in the military alliance, steal confidential information and spy on dissidents.
Tuesday's report by the prominent U.S. cybersecurity firm Mandiant appears to mark the first time Belarus has been blamed in the campaign known as Ghostwriter. European Union members have said they suspected involvement by Belarus' close ally Russia, and Poland has directly accused Moscow of hacking government officials' emails and leaking them online.
While Mandiant said it had compelling forensic evidence that Belarus was involved in the hacking — whose targets have also included German lawmakers — it said it had no direct proof of Russian participation, though that doesn't rule it out and attributing cyberoperations can be difficult.
The Belarus government did not immediately respond to a request for comment. A press officer at the Russian Embassy in Washington had no immediate comment on alleged Russian involvement in Ghostwriter. Russian officials regularly reject accusations they are involved in hacking and disinformation activity.
Mandiant is among the most careful and highly respected cybersleuthing practitioners. It works closely with Western law enforcement and intelligence agencies and has been closely tracking Ghostwriter activity and issuing periodic updates.
Its director of cyber-espionage analysis, Ben Read, would not detail why Mandiant is highly confident the Belarus government technically assisted the hackers and why it says they are likely located in Minsk, the country’s capital. He said only that they left telltale digital footprints and that multiple other sources corroborated Mandiant’s findings. Nor did he explain why researchers believe Belarus’ military is also involved with the hackers, which Mandiant calls UNC1151, declining to disclose the information to protect sources and methods.
The main targets of the hacking and disinformation campaign have been Poland, Lithuania and Latvia, NATO members on the alliance's tense eastern edge, as well as Ukraine, which has been in a low-level military conflict with Russia-backed separatists since 2014.
But also targeted were domestic news media and political opponents of Moscow-allied Belarusian strongman Aleksander Lukashenko prior to the 2020 election. He is accused of rigging his reelection, which triggered massive street protests that his security forces violently repressed. Some of those opponents were later arrested, Mandiant said.
Mandiant's findings come as the European Union has slapped new sanctions on Belaru s for ginning up a crisis on its border with Poland, Latvia and Lithuania by encouraging thousands of migrants from Iraq, Syria and elsewhere in the Middle East to mass at the frontier seeking a way into the European Union.
Analysts believe Lukashenko is taking revenge for previous EU sanctions imposed over his alleged election rigging and his anger over Poland granting dissidents political refuge.
In September, Germany accused Russia of trying to steal data from state and federal lawmakers ahead of Sept. 26 parliamentary elections through a hacking campaign it attributed to Ghostwriter. If any information was stolen in that campaign or access to sensitive computer networks gained, there is no evidence to date of it being used as a political weapon, said Mandiant’s Read.
Ghostwriter’s yearslong disinformation efforts were primarily focused on trying to discredit NATO and undercut regional security in Lithuania, Latvia and Poland. False narratives were disseminated through hacks of legitimate news outlets, government websites and spoofed emails.
In one instance, it was claimed that NATO was planning to withdraw from Lithuania in response to the COVID-19 pandemic. Another bogus report claimed German soldiers had desecrated a Jewish cemetery in that country. In another operation, a fabricated letter posted on a Polish military academy website called on Polish troops to resist “the American occupation.”
Since the disputed August 2020 Belarus elections, Ghostwriter operations have been more closely aligned to Lukashenko’s political agenda, attempting in particular to create tensions in Polish-Lithuanian relations.
In March, two Polish government websites were hacked and used to briefly spread a false claim that nuclear waste from Lithuania was threatening Poland. On Aug. 17, a fabricated news item alleging that migrants who escaped from a detention center had murdered a Polish priest was published to the website of the Lithuanian municipality of Prienai, whose mayor was quoted in local media as saying the site had been hacked, Mandiant said.
While most of the hacking by UNC1151 targeted Belarus’ neighbors, some was conducted against countries with no obvious connection to it, Mandian noted. That includes phishing emails sent in 2019 to the Colombian, Irish and Swiss governments, it said.