FireEye Report: Russian-Linked Influence Campaign Leveraging Compromised Websites, Including Legitimate News Websites, to Publish Fabricated Anti-NATO Content

On July 29, U.S. cybersecurity firm FireEye issued a report by Mandiant Threat Intelligence that identifies a particular influence campaign, aligned with Russian security interests, that consists of several information operations that have leveraged website compromises and fabricated content and “have primarily targeted audiences in Lithuania, Latvia, and Poland with narratives critical of the North Atlantic Treaty Organization’s (NATO) presence in Eastern Europe.”

FireEye labeled this campaign, which has been operating since at least Match 2017, as “Ghostwriter” because of “its use of inauthentic personas posing as locals, journalists, and analysts within the target countries to post articles and op-eds referencing the fabrications as source material to a core set of third-party websites that publish user-generated content.”

In particular, the report notes that “[m]ultiple Ghostwriter operations appear to have leveraged compromised websites, predominantly those of news outlets, to post fabricated news articles or documentation.”  Although there were some cases in which only the purported victim entity (e.g., a government agency) publicly claimed to have been compromised, in many cases FireEye “also located archived copies of Ghostwriter articles posted to the suspected compromised sites.”

Public reporting suggested “that in at least some of these cases, the fabricated articles were published using the sites’ content management systems (CMS) after obtaining user credentials.”  In addition, “it appears that rather than creating new CMS entries, the actors may have replaced existing legitimate articles on the sites with the fabrications.”

For example, in September 2019, a local Lithuanian news site “was reportedly compromised, and a false article published claiming that German soldiers had desecrated a Jewish Cemetery in Kaunas.”  FireEye “independently observed an archived version of that article having been posted to the site.”

Such falsified content, in turn, has been referenced as source material in articles and op-eds written by “inauthentic personas” – at least 14, by FireEye’s count – who pose “as locals, journalists, and analysts within those countries.” These articles and op-eds, which are “primarily written in English, have been consistently published to a core set of third-party websites that appear to accept user-submitted content, . . . as well as to suspected Ghostwriter-affiliated blogs.”

The report concluded that Ghostwriter “leverages traditional cyber threat activity and information operations tactics to promote narratives intended to chip away at NATO’s cohesion and undermine local support for the organization in Lithuania, Latvia, and Poland.”  While these operations so far have been targeting audiences in only those three countries, FireEye cautioned

that the same tactics employed in the Ghostwriter campaign can be readily repurposed and used against other target geographies. Given the established history of cyber threat and information operations tactics regularly migrating from targeting Eastern Europe to targeting Western Europe and the U.S., this campaign may warrant special attention, especially as elections near.

Note: This report should be of substantial concern to information-security teams in legitimate news organizations, not only in Eastern Europe but in Western Europe and North America.  Chief Information Security Officers in such news organizations should promptly bring the report to the attention of senior leadership, and increase their teams’ cyber surveillance for indications that this or other Russian-affiliated campaigns are seeking to compromise their sites and post fabricated news content.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s