1. Overview
Ghostwriter, also tracked as UNC1151, is a cyber influence and espionage operation attributed to actors aligned with Belarus, with potential support or collaboration from Russian military intelligence. First publicly identified in 2017, Ghostwriter has conducted coordinated disinformation campaigns and cyber intrusions targeting political, military, and civil institutions across NATO member states, with particular focus on Poland, Lithuania, Latvia, and Ukraine.
Ghostwriter is notable for blending conventional cyber espionage with psychological operations. Its campaigns often involve website defacement, hijacking of legitimate news outlets, and distribution of fake narratives intended to erode trust in NATO, democratic institutions, and Western military alliances.
2. Origin and Evolution
Ghostwriter began as a disinformation operation focusing on Eastern Europe. Over time, it evolved into a more complex threat group capable of both narrative influence and credential-based intrusion. It has been linked to a series of fake news articles and forged press releases aimed at NATO troops stationed in the Baltics and Poland.
In 2021, Mandiant attributed the technical component of Ghostwriter campaigns to UNC1151, a group operating from Belarus and likely connected to the Belarusian Ministry of Defence. Some infrastructure overlaps suggest coordination with Russian entities, though attribution to the Russian GRU remains unconfirmed.
Ghostwriter activity increased following the 2020 Belarusian presidential election and again during Russia’s invasion of Ukraine in 2022.
3. Tactics, Techniques, and Procedures (TTPs)
Ghostwriter combines social engineering, hacking, and content manipulation to execute its campaigns. Its tactics include:
- Credential theft
Spear-phishing emails (T1566.001) and watering hole attacks (T1056.001) designed to capture credentials from military, political, and media personnel. - Account compromise and content injection
Once access is obtained, attackers log into email or CMS platforms to post false messages, blog articles, or emails from legitimate accounts (T1586.002). - Website defacement
Use of stolen credentials or CMS exploits to alter official websites and publish fabricated narratives (T1491.001). - Disinformation operations
Coordinated release of forged documents, fake news stories, and social media amplification (T1585, T1587.001), often blaming NATO troops for violence or scandal. - Infrastructure
Ghostwriter uses compromised email servers and publicly available CMS tools to conduct low-cost but high-impact campaigns. They frequently register fake news domains that mirror legitimate outlets.
4. Targeting Profile
Ghostwriter primarily targets governments, military personnel, civil society organisations, and media outlets in:
- Poland
- Lithuania
- Latvia
- Ukraine
- Germany
- Estonia
- The United Kingdom
While Poland and the Baltic states remain the most affected, Ghostwriter has expanded its targeting to include NATO headquarters, EU institutions, and government-linked NGOs across Europe. UK-based researchers, policy analysts, and journalists have been targeted through phishing and impersonation attempts.
5. Notable Campaigns and Victims
Notable Ghostwriter campaigns include:
- Defacement of Polish and Lithuanian government websites with false narratives accusing NATO soldiers of misconduct
- Phishing campaigns against European defence officials and think tanks in 2021 and 2022
- Targeting of Ukrainian military and political personnel prior to and during Russia’s 2022 invasion
- Use of compromised Polish news sites to publish false claims about US troops spreading disease in Europe
- Attempted compromise of UK-based journalists covering Eastern European politics and security
Many of these campaigns were designed to amplify distrust in NATO, create political tension between allies, and undermine support for Ukraine and European security cooperation.
6. Technical Indicators
Ghostwriter’s infrastructure is decentralised and frequently rebuilt, but common indicators include:
- Use of generic phishing kits and fake login pages for Microsoft 365, ProtonMail, and Roundcube
- CMS platform abuse in WordPress and Joomla environments
- Hosting of malicious content on compromised media and government websites
- Email spoofing domains mimicking EU, NATO, or military contacts
- Common phishing lures include invitations to military events, embargoed policy briefings, or COVID-19-related alerts
Mandiant and UK Cyber Defence Ltd maintain updated IOC lists for Ghostwriter activity, which include domains, hash values, and credential phishing templates.
7. Defensive Measures and Recommendations
To defend against Ghostwriter and UNC1151 operations:
- Enable multi-factor authentication across all email and content management systems
- Train personnel in recognising spear-phishing and impersonation attempts
- Monitor for unauthorised access to CMS platforms and web content
- Use secure communication protocols for sensitive military and diplomatic correspondence
- Work with hosting providers to remove defaced content quickly and restore media credibility
- Implement DMARC, SPF, and DKIM to prevent email spoofing and impersonation
- Coordinate with national CSIRTs and information-sharing alliances to track narrative campaigns
8. Attribution and Alliances
Ghostwriter’s technical operations are attributed to UNC1151, which is believed to operate from Belarus under state direction. Several security agencies, including Mandiant and NATO CERT teams, assess that the group likely operates with approval or coordination from Russian military intelligence.
Ghostwriter aligns with Belarusian and Russian interests in destabilising NATO unity and undermining confidence in Western institutions. Its operations are part of a broader information warfare strategy, particularly aimed at frontline NATO states.
9. Conclusion
Ghostwriter / UNC1151 represents a hybrid threat actor combining cyber intrusion with disinformation to wage psychological and political warfare. The group is persistent, well-aligned with geopolitical events, and adept at undermining trust in digital infrastructure and public discourse.
As tensions persist in Eastern Europe and the UK continues to play a central role in NATO operations, organisations in government, defence, and media sectors should prioritise identity protection, platform security, and coordinated narrative monitoring to mitigate Ghostwriter’s impact.
Author:
Threat Intelligence Team, UK Cyber Defence Ltd
All intelligence current as of May 2025
