A Close Look at Russia's Ghostwriter Campaign

The group, which conducts espionage and sows disinformation, is larger than previously thought and has shifted tactics.

5 Min Read
Hooded person with a newspaper backdrop
Source: Igor Stevanovic via Alamy Stock Photo

Russia's online disinformation efforts are vast and growing. While most of the US media's attention to date has focused on Moscow's efforts in the US elections, this overlooks an even more robust campaign that has been underway in Europe for quite some time.

Known as "Ghostwriter," this espionage and disinformation operation has targeted several European countries, including Germany, Poland, Ukraine, and the Baltics (Estonia, Latvia, and Lithuania). In September, both Germany and the European Union officially attributed recent, targeted phishing campaigns to Russia generally and Russia's military intelligence apparatus (GRU) and the Ghostwriter operation specifically.

In August, our intelligence team uncovered new operational details for Ghostwriter/UNC1151, which we publicly released on Sept. 1.

Here is a closer look at what we found:

Ghostwriter's Infrastructure Is Significantly Larger Than Previously Thought
We identified an additional 81 phishing domains associated with UNC1151 that were not previously reported, which makes this group's infrastructure nearly three times larger than originally suspected.

Of these new domains, 52 are assessed with high confidence to be part of UNC1151's operational infrastructure, and 29 are assessed with moderate confidence to be previously used phishing infrastructure for the actor's targeted phishing campaigns.

This Infrastructure Was Well Hidden
There were no overt linkages between the new domains our team discovered and the previous domains reported by Mandiant. The group used entirely different — and largely legitimate-looking — registration information, login IPs, etc.

It also did not follow the standard practice among criminal groups of registering new domains but instead re-registered older, expired domains with prior records and established histories (in some cases, these domains were 10 years old) in order to skew analysis and appear legitimate.

Many of the domains were still inactive, which suggests the threat actor anticipated some level of domain attrition and had prepared for it by establishing backups.

Shifting Tactics
Our team also discovered domain and subdomain naming themes that indicate a change in Ghostwriter's targeting around 2020/2021.

Consistent subdomain and root domain naming themes strongly reinforce our assessment that the target audience in 2019 and 2020 was Apple (iPhone and iCloud) users in Europe; nearly all root domains we identified have at least one subdomain that includes the words "apple" or "icloud." We also observed phishing subdomains that appear to target PayPal and OVH Telecom (a French web hosting and cloud computing company) accounts, as well as Google, Microsoft, Twitter, and Facebook.

The evidence shows that in late 2020 and early 2021, the actor began a shift in targeting as indicated by the choice of specific subdomains attached to the generic root domain: UNC1151 began using subdomains that appear to target an Eastern European audience. It is during this time that we see a large-scale phishing infrastructure built out to phish credentials across the user spectrum: official Polish government accounts; Ukrainian military accounts; the French Armed Forces' Defense Information and Communication Delegation; accounts for popular regional email providers, such as Yandex, meta[.]ua, and bigmir[.]net; and global tech giants, including Twitter, Facebook, and Google.

Broader Range of Targets
As noted above, UNC1151's malicious campaign has expanded (and is likely still expanding) its geographical range to new targets. Based on the phishing infrastructure we uncovered, the threat actor has been targeting members of the French Defense Information and Communication Delegation, a department of the French Ministry of the Armed Forces, which was not previously reported.

The Bigger Picture
It's no small feat for a threat actor to hide this level of infrastructure from the types of experienced security teams and researchers who have been investigating it over the past two years. This suggests the Ghostwriter operation is much more sophisticated than was previously thought.

Additionally, the cost of setting up this level of infrastructure — from the domain registrations to the VPNs and proxies needed to conceal these operations — isn't trivial, particularly when one considers that the campaign isn't intended to make money. The threat actor's deliberate planning for domain attrition, including an extensive backup domain system, also shows its sophistication and abilities.

All of this reinforces the attribution of state sponsorship made by Germany and the EU.

Ghostwriter's Future
These newly uncovered domains have shed more light on Ghostwriter's tactics, techniques, and procedures (TTPs), which will make it easier for organizations to identify and counteract future efforts by the group.

However, UNC1151 has had its infrastructure published and disseminated in public reporting before and has been observed both moving to new infrastructure as well as continuing to use known, previously disclosed infrastructure.

If publishing its infrastructure does, indeed, lead to diminishing operational effectiveness, we may see the group go silent, possibly to re-emerge later under a different banner, utilizing different TTPs and targeting methodologies, or perhaps not. This actor has been conducting a long-running, large-scale, and geographically dispersed influence operation for years and its operations and targets have evolved during that time. Its goals are not defined by the group or its members, but the strategic mission with which it is tasked — conducting espionage and spreading disinformation. Once these operations have achieved their objective or exposure has degraded their ability to operate, the group may jettison infrastructure, disband, reconstitute, retool, or develop new TTPs to avoid detection.

We may see Ghostwriter change its domain registration services, the cadence of its registrations, take further advantage of emerging privacy protection services in general alignment with the EU's General Data Protection Regulation and the global trend toward privacy, or use separate cloud infrastructure to host the SMTP servers for its phishing emails. It may even pivot from a focus on credential phishing via email to social media or other vectors.

Russia's disinformation efforts in Europe will go on, but whether it will continue to use the Ghostwriter operation remains to be seen. Either way, security teams should expect significant changes in the tactics used by this actor.

About the Author(s)

Karim Hijazi

CEO of Prevailion

Karim Hijazi is CEO of Prevailion, a cyber intelligence company that monitors and detects active threats by infiltrating hacker networks. Hijazi is also a former director of intelligence for Mandiant and a former contractor for the US intelligence community.

Matt Stafford

Senior Threat Intelligence Researcher at Prevailion

Matt Stafford is a senior threat intelligence researcher at Prevailion. He has extensive experience working in information security both in and out of government.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights