US cybersecurity firm confirms Poland as subject of 'Ghostwriter' op

US-based cybersecurity firm Mandiant has told PAP that they have uncovered numerous activities against Poland within the framework of the 'Ghostwriter' operation, confirming earlier findings of the Polish services.

On Tuesday, the spokesman of the coordinator of special services said that a recent cyberattack on Polish politicians and the leaking of their e-mail was the work of the UNC1151 group, associated with Russian services, which is conducting a widescale operation called 'Ghostwriter' aimed at destabilising countries of the region.

The group was first identified by American cybersecurity firm Mandiant Intelligence, part of the FireEye group, which also named the operation. Mandiant Intelligence's director for analysis, Ben Read, told PAP on Tuesday that the company had uncovered numerous operations of the UNC1151 group against Polish entities.

The 'Ghostwriter' operation was first mentioned by Mandiant in a company report in 2020, when analysts wrote that it was an influencing operation aimed at promoting a narrative critical of Nato, mostly in Lithuania, Latvia and Poland.

Read said, however, that Mandiant had not yet gathered sufficient evidence to attribute the attack to a given country. Nonetheless, in Mandiant's assessment, the UNC1151 group is connected with a foreign state.

As part of the operation, the UNC1151 group published and distributed false articles after hacking into web portals, including on the subject of alleged Nato preparations for a war with Russia.

In a later report, from April 2021, Mandiant said the group's activities were more widespread than earlier thought, attributing to it the hacking into Twitter and Facebook accounts of politicians of Poland's ruling United Right camp, including those of Marek Suski MP and Minister Marlena Maląg, among others. Mandiant said then that the main focus of 'Ghostwriter' at a later time was not Nato but creating internal divisions in Poland's ruling coalition and in Polish society.

In addition to Polish politicians, the operation also targeted military and government entities as well as media in the Baltic states and Ukraine and later also politicians in Germany and also a well-known Belarusian opposition blogger.

The report listed 34 incidents related to the 'Ghostwriter' operation over the course of five years. In many cases, hackers used the accounts of politicians and public figures to spread fake news, including about a prostitution gang working with the participation of Polish and Lithuanian government officials and the American military.

Mandiant said not all the incidents could be unambiguously attributed to UNC1151, but they could say with a high degree of certainty that the group was behind some of them.