Ghostwriter Update: Cyber Espionage Group UNC1151 Likely Conducts Ghostwriter Influence Activity

Mandiant Threat Intelligence has detailed an ongoing cyber-enabled influence campaign we named Ghostwriter. We assess with high confidence that UNC1151, a suspected state-sponsored cyber espionage actor that engages in credential harvesting and malware campaigns, conducts at least some components of Ghostwriter activity.

An uncategorized (UNC) threat group is a cluster of cyber intrusion activity which includes observable artifacts such as adversary infrastructure, tools, and attack patterns, but is not yet classified as an advanced persistent threat (APT) or financially motivated (FIN) group.

In July 2020, Mandiant Threat Intelligence released a public report detailing an ongoing cyber-enabled influence campaign we named Ghostwriter. The campaign has primarily targeted audiences in Lithuania, Latvia and Poland with narratives critical of NATO’s presence in Eastern Europe. Since that report, we have identified over twenty additional incidents that we believe are part of Ghostwriter activity that we have reported on to Mandiant Intelligence customers.

Request a copy of the report to learn about how Mandiant Threat Intelligence has continuously investigated and reported on the ongoing Ghostwriter influence campaign since publicly naming it in July 2020.