Information Technology

Botnets are one of the key drivers of cyberattacks, used to distribute malware, ransomware and other malicious payloads – and dark web forums are now offering lessons on how to make money from them, a move that is likely to increase the threat over time.Infected computers and devices in a cyber criminal-controlled botnet can be used to send phishing emails or malware to even more devices. It’s common for botnet operators to lease out their collection of unwittingly controlled machines – which can number in the thousands – to other cyber criminals. 

ZDNet Recommends

For example, TrickBot malware ropes machines into a botnet, providing the attacker with a backdoor into them. That access is often sold to cyber criminals who can then use them to deploy ransomware, using that access to encrypt files and demand a significant ransom payment. Many botnets are used to steal usernames and passwords, while others will take the processing power of the machines they control and lease them out to launch DDoS attacks in order to overflow websites with traffic and take them down. SEE: A winning strategy for cybersecurity (ZDNet special report) Botnet operators can, therefore, make significant sums of money, and now there are dark web operators who are offering online courses to train others on using botnets – and they operate much like their legitimate counterparts teaching cybersecurity and other skills in online courses. Cybersecurity researchers at Recorded Future analysed advertising and activity in a botnet school on a prominent underground forum and found that these courses are in demand – something that could be a potential issue for organisations that might be targeted by cyber criminals learning these skills. “It’s essentially like as if you’re in college,” Danny Panton, cybercrime intelligence analyst at Recorded Future told ZDNet. “You’ll have a director and they’ll be virtually teaching you – I don’t believe cameras are going to be on the person – but they have access to a platform and are taught insights into what you need to do to leverage botnets against potential victims.” 

Those teaching the courses include individuals who run large botnets themselves. The courses aren’t cheap – they cost over $1,400 dollars – but promise to provide even novice cyber criminals with knowledge on how to build, maintain and monetise botnets.”It really is a range of cybercrime experience and levels. You might have people who are seasoned cybercrime fraudsters, but aren’t really familiar with using botnets,” Panton explained. “Then there are people who are just completely new to cybercrime as a whole and just are curious and want to become better seasoned and increase their skills,” he added.Given the nature of the cybercrime world, some might be suspicious that if they hand over money to take part in the course, they’ll be scammed and get nothing in return. But it seems like legitimate a service and the course is subject to reviews, which suggest that the botnet school really offers what it says it does. If it was a scam, it wouldn’t have lasted so long.

Researchers don’t have the data to detail how many wannabe cyber criminals have taken the course in total, but during the time spent analysing this activity, the number of people taking the classes at any one time could vary; sometimes as few as five people, sometimes as many as 100.SEE: This mysterious malware could threaten millions of routers and IoT devicesThe course covers subjects including how to run a botnet in a way designed to avoid law enforcement attention – because, as demonstrated by the Emotet takedown, the authorities will clamp down hard on botnets when they can. And researchers warn that the existence of these courses likely leads to an increases in the threat of botnets – although by how much is hard to quantify without being able to track the activity of individual users.”It is highly likely that, as a result of these courses, more threat actors become proficient in botnet-oriented attacks,” said Panton. Botnets remain a significant threat to computer networks, but there are measures that can be taken to avoid becoming a victim. These include ensuring networks are updated with the latest security patches, making sure that default manufacturer passwords aren’t in use, and ensuring that internet-facing ports that aren’t necessary for the function of devices are closed. MORE ON CYBERSECURITY More

Image: Fortinet, ZDNet
Cyber authorities across the US, UK, and Australia have called for administrators to immediately patch a quartet of vulnerabilities — CVE-2021-34473, 2020-12812, 2019-5591, and 2018-13379 — after attributing some attacks that used them to attackers backed by Iran. “FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021, and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware,” a joint release stated. “ACSC is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia.” Rather than going after a certain sector of the economy, the authorities said the attackers were simply focused on exploiting the vulnerabilities where possible and, following operation, they then tried to turn that initial access into data exfiltration, a ransomware attack, or extortion. Using the Fortinet and Exchange holes for access, the attackers would then add tasks to the Windows Task Scheduler and create new accounts on domain controllers and other systems to look like existing accounts to maintain access. The next step was to turn on BitLocker, leave a ransom note, and get the data out via FTP. In April, the FBI and CISA issued warnings of the vulnerabilities in Fortinet gear being actively exploited, and the full quartet of authorities placed Fortinet on the top 30 exploited vulnerabilities in July. Separately on Wednesday, Microsoft issued its own warning of six Iranian groups using vulnerabilities in the same pair of products to drop ransomware.

The Exchange vulnerabilities cited, known as ProxyShell, were initially exploited by Beijing-backed hackers. ASD is confident it can remain on top of technology Speaking in Canberra on Thursday, the director-general of the Australian Signals Directorate, of which the Australian Cyber Security Centre (ACSC) is a part, Rachel Noble, said the Five Eyes were ready to handle new technology such as quantum cryptography. “A lot of planning is going ahead now among the Five Eyes for quantum-resistant cryptography, so we’ll be ready when quantum computing is out there [and] encryption keys that protect our military and government secrets will be resistant to that,” she said. “We’ve always sort of stayed on top of technology in that regard, and we love to be first to have that and I’m sure we’ll continue to do that in the future. I think quantum computing has an enormous ability to assist us with our signals intelligence and cyber defensive missions. “So of course, we’re investing in making sure we’re ready to go when the world delivers it to us.” The director-general said there were times previously when the ASD believed intelligence-gathering avenues could go dark, but that has not come to pass. “I recall at the time the conversations in ASD about how difficult this would be for us. The irony now is that we feared the lack of communications on the airways and yet now most of us will connect to the Internet by Wi-Fi,” Noble said. “That’s not to say that the change didn’t bring huge challenges for us. Through a mastery of our business and innovation — the people of ASD prevailed.” Noble said efforts last year to take down COVID-19 scammers saw ASD resort to offensive cyber operations because trying to get local telcos to block each IP was not working and became a game of whack-a-mole. “We used our covert online operations and computer network attack capabilities to infiltrate the syndicate and tear it down from the inside. I am proud to say that to this day, that syndicate has not been able to restart their vile business and we’ll be there if they try,” she said. “In cyberspace, ASD is increasingly becoming the first and last line of digital defence that protects our country from cyber attacks, and thwarts those who seek to attack Australia by launching offensive cyber operations of our own. And we are right now fighting that battle with criminals — state actors and serious and organised crime.” Earlier this year, Noble revealed a nationally-known company resisted approaches from the ASD after being hacked, and called in the lawyers. Speaking on Thursday, Noble said ASD could bring signals intelligence expertise to bear in such situations. “It is this intelligence, the decades of investment in capabilities, and the expertise of our people that give us a cutting edge as cybersecurity experts over and above any private company and any other governments in the world,” she said. “So when we ring you and tell you we think you’ve got a problem, and give you some advice about what you might want to do about that, I implore you to take that advice and understand that it might be coming from some of the most top secret and sensitive insights in the world. “We might not be able to tell you the details of what those insights are and in the end you can take your own chances for not listening. “But in the national interest, we would prefer that you didn’t take that chance.” Related Coverage More

Singapore has again pushed back the deployment of its next-generation electronic road pricing (ERP) system, this time, due to the global chip shortage. The satellite-based network is now expected to be rolled out in the second half of 2023, instead of end-2021. It was originally slated to be implemented from 2020, but this was delayed to early this year with completion set for mid-2023. The government then had pointed to the impact of COVID-19 on global supply chains as the reason for the revised timeline. With the Global Navigation Satellite System (GNSS) ERP network now anticipated to be rolled out only from the second half of 2023, it would mean a delay of almost two years before implementation works–spanning 18 months–would be completed. These will include the installation of a new on-board unit, to replace current in-vehicle units, which are mandatory for all registered vehicles in Singapore, with few exceptions that include vehicles that do not use public roads on the mainland or are subject to usage restrictions such as tractors and construction equipment.  

The on-board unit is described as “central” to the new ERP system, providing various services to motorists such as alerts on electric charging locations and real-time traffic data. The supply of critical microchips needed for these units, however, had been affected by the “worsening” global shortage, which also had impacted other industries, said the Land Transport Authority (LTA) in a statement Wednesday. The industry regulator noted that, amidst accelerated global demand during the pandemic, the suspension of operations in major semiconductor foundries across multiple countries had affected production. This, in turn, severely impacted the production of electronic devices in multiple sectors including consumer electronics, industrial machines, and automotive. According to LTA, parts required for the on-board units had to be sourced from different suppliers, some of which had indicated their inability to meet the required delivery schedules for critical components. This shortage was expected to continue throughout 2022, with chip production projected to ramp up gradually from end-2022 to mid-2023. 

Due to the uncertainty in the supply chain, implementation of the on-board units should only commence when production was “stable and sufficient”, it said. “To ensure a smooth and uninterrupted installation exercise for all motorists, the installation of on-board units is now planned to commence in the second half of 2023, instead of end-2021,” LTA said. It added that it would work with local systems integrator NCS and Mitsubishi Heavy Industries (MHI) Engine System Asia on the production and installation of the on-board units. MHI Machinery Systems’ president Naoaki Ikeda said the company was “working closely” with its supply chain partners to source for the affected components and “safeguard their availability” for the installation.Singapore’s current ERP system, launched in 1998, uses a combination of smart card and RFID (radio frequency identification) technology to collect toll charges as vehicles, including motorbikes, drive through gantries. These typically are located along highways and roads that are frequently congested during peak hours. Smart cards carrying stored cash value, also dubbed CashCards, are inserted into the in-vehicle units and funds are deducted each time the vehicle passes through an ERP gantry that is in operation. According to LTA, the current system is increasingly expensive to maintain and the new GNSS infrastructure will do away with the need for bulky gantries, which will be replaced with slimmer ones.As of October 2021, Singapore has a vehicle population of 987,450 that comprises cars, taxis, buses, and motorcycles.RELATED COVERAGE More

Microsoft has detailed the activities of six Iranian hacker groups that are behind waves of ransomware attacks that have arrived every six to eight weeks since September 2020. Russia is often seen as the home of the biggest cyber-criminal ransomware threats, but state-sponsored attackers from North Korea and Iran have also shown a growing interest in ransomware. 

ZDNet Recommends

Microsoft said Iranian hacking groups are using ransomware to either collect funds or disrupt their targets, and are “patient and persistent” while engaging with their targets – although they will use aggressive brute-force attacks.SEE: A winning strategy for cybersecurity (ZDNet special report)The most consistent of the six Iranian threat groups is one Microsoft tracks as Phosphorus (others call it APT35). Microsoft has been playing cat and mouse with the group for the past two years. While initially known for cyber espionage, Microsoft details the group’s strategies for deploying ransomware on targeted networks, often using Microsoft’s Windows disk-encryption tool BitLocker to encrypt victim files. Other cybersecurity firms last year detected a rise in ransomware from Iranian state-backed hackers using known Microsoft Exchange vulnerabilities to install persistent web shells on email servers and Thanos ransomware.    According to Microsoft, Phosphorus was also targeting unpatched on-premise Exchange servers and Fortinet’s FortiOS SSL VPN in order to deploy ransomware.

In the second half of 2021, the group started scanning for the four Exchange flaws known as ProxyShell that were initially exploited as zero days by Beijing-backed hackers.Microsoft released patches for CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 in April. ProxyLogon was one of several exploits that made up ProxyShell. An account by security specialist DFIR Report notes Phosphorus used BitLocker on servers and DiskCryptor on PCs. Their activity stood out because it didn’t rely on ransomware-as-a-service offerings that are popular among cyber criminals and didn’t create custom encryptors. “After compromising the initial server (through vulnerable VPN or Exchange Server), the actors moved laterally to a different system on the victim network to gain access to higher value resources,” the Microsoft Threat Intelligence Center (MSTIC) notes in a blogpost. “From there, they deployed a script to encrypt the drives on multiple systems. Victims were instructed to reach out to a specific Telegram page to pay for the decryption key.”The group also tries to steal credentials by sending “interview requests” to targeted individuals through emails that contain tracking links to confirm whether the user has opened the file. Once a response is received from the target user, the attackers send a link to a list of interview questions and then a link to a fake Google Meeting, which would steal login details.SEE: Ransomware: It’s a ‘golden era’ for cyber criminals – and it could get worse before it gets betterOther groups mentioned in Microsoft’s report included an emerging Iranian hacking group that recently targeted Israel and US organizations in the Persian Gulf with password-spraying attacks. Microsoft highlights that the adoption of ransomware aided the Iranian hackers’ efforts in espionage, disruption and destruction, and to support physical operations. Their arsenal of attacks included ransomware, disk wipers, mobile malware, phishing, password-spray attacks, mass exploitation of vulnerabilities, and supply chain attacks.         More

Ransomware is the most significant cybersecurity threat facing the country today, but many businesses still aren’t taking the threat as seriously as they should be, the National Cyber Security Centre (NCSC) has warned. In its newly published annual review, the NCSC – the cybersecurity arm of intelligence agency GCHQ – details the incidents and threats the UK has faced during the past 12 months, including cyberattacks against the health service and vaccine developers during the coronavirus pandemic, state-sponsored cyber-espionage campaigns, phishing scams and more.  

But, because of the likely impact a successful attack could have on essential services or critical national infrastructure, it’s ransomware that is viewed as the most dangerous cyber threat – and one that more leadership teams need to think about.SEE: A winning strategy for cybersecurity (ZDNet special report) “One of the trends that the NCSC has seen over the last year was a worrying growth in criminal groups using ransomware to extort organisations. In my view it is now the most immediate cybersecurity threat to UK businesses and one that I think should be higher on the boardroom agenda,” said Lindy Cameron, CEO of the NCSC.  The number of ransomware attacks has grown significantly during the past year, reaching the same number of incidents in April 2021 as there had been in all of 2020. “In the first four months of 2021, the NCSC handled the same number of ransomware incidents as for the whole of 2020 – which was itself a number more than three times greater than in 2019,” said the NCSC report. 

The severity of some ransomware attacks means organisations can take a long time to recover. The NCSC paper notes that Hackney London Borough Council suffered significant disruption to services when a cyberattack resulted in IT systems being down for months, affecting the availability of local services, and requiring a recovery that cost millions of pounds.  Alongside local governments, universities have been a common victim of ransomware attacks, to the extent the NCSC has issued specific advice on how these institutions can protect themselves against attacks. “In the UK there was an increase in the scale and severity of ransomware attacks, targeting all sectors from businesses to public services. In response, the NCSC has identified and mitigated numerous threats, whether committed by sophisticated state actors, organised criminal groups or lone offenders,” said Sir Jeremy Fleming, director of GCHQ.  In total, including ransomware attacks, the NCSC has helped handle 777 incidents during the past year, up from 723 on the previous year and an average of 643 a year since the NCSC launched in 2016. 

But while ransomware is a significant and ever-evolving threat, there are measures that organisations can take to help avoid falling victim to an attack, or lessen the impact should the network be compromised by file-encrypting malware. SEE: Ransomware: It’s a ‘golden era’ for cyber criminals – and it could get worse before it gets betterAs detailed by the paper, the most common entry point for ransomware attacks are remote desktop protocol (RDP) attacks, where hackers take advantage of insecure RDP configurations to gain access to the network. Organisations can counter this by encouraging users to use unique, difficult-to-guess passwords – the NCSC recommends using three memorable words for accounts and introducing multi-factor authentication as an extra barrier to attacks. The shift towards remote working has led to a big rise in the use of Virtual Private Networks (VPNs) which, if not managed properly, can provide a gateway for outside attackers to enter the network. The paper also notes how ransomware gangs take advantage of unpatched devices and advises organisations to ensure security updates are rolled out in a timely fashion to help protect the network from cyber criminals exploiting known vulnerabilities. The NCSC regularly publishes advice on threats and now to protect networks from attacks – and one of the key aims of the organisation is to make sure the message gets heard by those who need to hear it. “Ransomware, mostly, doesn’t need a specific response, it needs the things we’ve been telling people to do for a long time. Part of our challenge is helping people do that or understanding what they need to do to apply it as much as possible,” said Cameron.  MORE ON CYBERSECURITY More

An analysis of password habits worldwide has revealed we are still performing poorly when it comes to strong credential management. 

While the idea of using passwords such as QWERTY, 123456, and PASSWORD might seem like a joke these days, they are still commonly found in data dumps of stolen credentials published online. Major online service providers now often enforce strong passwords with lower-case and capital letters, numbers, and special characters and may also encourage and enforce multi-factor authentication (MFA).  However, businesses may not impose the same standards. In addition, ghost and forgotten accounts, hardcoded credentials, and the re-use of username and password combinations are still common problems today.  On Wednesday, Nordpass published its annual study of password use across 50 countries, the “Most Common Passwords” report, an evaluation of a database containing 4TB of leaked passwords, many of which originated from the US, Canada, Russia, Australia, and Europe.  According to the researchers, the most common passwords in 2021, worldwide, were: 123456 (103,170,552 hits)123456789 (46,027,530 hits)12345 (32,955,431 hits)qwerty (22,317,280 hits)password (20,958,297 hits)12345678 (14,745,771 hits)111111 (13,354,149 hits)123123 (10,244,398 hits)1234567890 (9,646,621 hits)1234567 (9,396,813 hits)Among the findings, the researchers also found that a “stunning” number of people like to use their own name as a password (“charlie” appeared as the 9th most popular password in the UK over 2021, as it happens). 

“Onedirection” was a popular music-related password option, and the number of times “Liverpool” appears could indicate how popular the football team is — although, in Canada, “hockey” was unsurprisingly the top sports-related option in active use.  Swear words are also commonly employed, and when it comes to animal themes, “dolphin” was the most popular choice internationally.  Aside from variations of numbers and PC keyboards, in some lists, other local password options made the top 10, including the surname “Chregan” in South Africa; the city “Barcelona” in Spain, and the name “Tiffany” in France.  NordPass’ report can be accessed here.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Over the past months, we’ve published a lot of useful information about VPNs. But this article is unique. In this article, we’re going to do our best to help you save a few bucks. Below are the latest and greatest Black Friday and Cyber Monday VPN deals we’ve been able to scour from around the net, from the VPN vendors themselves, and from the secret whispers of VPN aficionados pumping as much caffeine into their veins as possible to keep up with their need for bits, all day and all night.Keep in mind that VPN vendors are aggressive marketeers even outside of the silly season. But when the floodgates open up, they’re getting even more enthusiastic. So while there are some not-bad Black Friday and Cyber Monday “deals” presented in this article, keep in mind that most VPN vendors are constitutionally incapable of resisting the urge to offer regular deal promotions, and you might just find good deals during other times during the year.Terms and conditionsBe very careful about the terms of the deal. VPN vendors have decided to jump on the bandwagon of one of the most reprehensible tactics used by the web hosting business: listing price by month but charging by year, followed by massive jumps in prices when your service automatically renews. PureVPN, for example, promotes their offering as $2.04 per month, but they actually charge you for 24 months, or $49. Then, when 24 months pass by, they slam you with a $70 bill, bringing your monthly bill from two bucks to nearly six, a three-fold increase. IPVanish’s monthly rate jumps from the $3.80/mo promo price to $7.50 per month — and your card gets hit for $90 all at once.One of the best ways to take advantage of these promo deals but not get slammed later is to make a calendar entry the month before renewal so you know to cancel the service before you get slammed. Since there’s nothing to lock you into a VPN service (they all do basically the same stuff), you can jump onto the next service with a good deal when renewal time comes around.So, I’ve listed these in order of cheapest per month to most expensive but beware of the surge with all those caveats.

Pay now: $50 for three years

How they pitch it: 3-yrs plan for $1.39/mo + 3 months FreeMoney-back guarantee: 30 daysAuto-renew: Yes, the price skyrockets to $47.83 per yearThey say you need the coupon code BLACKFRIDAY, but I just went to their site and hit their big Black Friday banner. The deal here is good on a per-month basis, but put that renewal date in your calendar for three years from now. Otherwise, you’ll be slammed paying three times more when it renews.This is a middle of the road VPN with support for just Windows, Mac, iOS, and Android. But it has one thing going for it: you can use it on all your devices. There’s no 5 device limit, like is the case for many other vendors.

Pay now: $49 for 24 months

How they pitch it: $2.04/mo for 24 monthsMoney-back guarantee: 31 daysAuto-renew: Yes, the price balloons to $70 per yearThese folks are running one of those annoying countdown clocks on their page as if they won’t take your order after the deadline. They’re also trying to virtue signal by offering a 31-day money-back guarantee while everyone else is offering 30. Whether 30 or 31 days, it’s on you to test your purchase to be sure it does what you need.PureVPN allows 10 devices, and it supports a pretty wide range of devices. Beyond that, it offers the usual features, ranging from kill switch to split tunneling and even a fixed IP as an upsell for business buyers. Back in 2018, we ran an article about IP leaks, but all indications are they’ve fixed those problems since then.

Pay now: $59.76 for 27 months

How they pitch it: $2.21/mo for 24 months + 3 free monthsMoney-back guarantee: 30 daysAuto-renew: Yes, the price might bump upThe Surfshark marketing folks are going to town with the large fonts and Black Friday animations. They have a countdown clock, an announcement about a price drop where the word “drop” actually drops, and even a spinning, flashing, 200 point “Ultimate”. So, they really want you to buy.Our review: Surfshark VPN review: It’s cheap, but is it good?It looks like your bill will double once the promo runs out. They say, “59.76 billed now, then annually starting after 27 months.” So keep that in mind and make a note in your calendar if you want to cancel.

Pay now: $38 for 12 months

How they pitch it: $3.20/mo for 12 monthsMoney-back guarantee: 30 daysAuto-renew: Yes, the price explodes to $90/year!!The most important thing is to watch out for that automatic billing hit. $90 a year is a big jump, and it’s among the most expensive we’ve seen for any services that bill for more than one month.Our review: IPVanish review: A VPN with a wealth of optionsThat said, I gave it a pretty positive review. Although some conditions apply, the service offers unlimited connections, and they have quite a lot of clients they support. I was pretty bullish on the features but wasn’t entirely sure I’d want to use the service if I was hiding from a government or otherwise wanted to secure my privacy completely.

Pay now: $79 for 24 months

How they pitch it: $3.29/mo for 24 monthsMoney-back guarantee: 30 daysAuto-renew: Yes, the price might bump upNord is also rocking a countdown clock. The VPN vendors love this kind of involvement device because it helps create a sense of urgency among prospects. It’s kind of Marketing 101, applied to service sales.As you can see, I’ve spent quite a bit of time getting to know the service and the company. The deal they’re offering isn’t the best, but six simultaneous connections are generally pretty workable. Overall, the company’s performance was consistent among the VPNs I’ve tested, and you could do worse than choosing this vendor.Also read:

Pay now: $120 for 24 months

How they pitch it: $4.99/mo for 24 monthsMoney-back guarantee: 30 daysAuto-renew: Yes, the price jumps to $160 for 2 yearsHere’s a note for US-based customers who might be confused. When you click into the company’s promo page for Black Friday, you’re taking to Euros-based pricing. Hit the little USD menu item under the middle deal to get dollar-based pricing. Interestingly, they charge the same digits (5.99) in both Euros and dollars, but €5.99 is about $6.82, so you’re actually saving money if you buy with dollars.As for how many simultaneous connections they allow, I have no idea; I’ve looked all over their site and sent out a query to the company but haven’t heard back. I’ll update this if I find out. Beyond that, the company has been working hard on a speed upgrade, which we reported earlier this year.

I get a lot of questions about VPNs, and I’ve answered many of them in the articles below. They’re definitely worth your time if you’re on the fence about what a VPN can do for you.

zdnet recommends More

The Belarusian government has been accused of at least “partial responsibility” for Ghostwriter attacks in Europe. 

While cybersecurity companies often err on the side of caution when it comes to the attribution of threat groups, Mandiant says that it has “high confidence” that Ghostwriter, also linked to UNC115 activities, is a cybercriminal outfit potentially working on behalf of the country’s government. Sanctions were placed on Belarus earlier this year after the forced diversion of a commercial plane into Belarus airspace to arrest a passenger, a dissident journalist called Roman Protasevich. Now, in retaliation, the country’s President Alexander Lukashenko has been accused of engineering a migrant crisis to destabilize the EU. However, it seems that retribution may go further, with the attribution of Ghostwriter to the ruling government. The European Council has previously accused Russia of Ghostwriter involvement.  According to the cybersecurity researchers, Russian interference cannot be “ruled out,” but other indicators suggest that Belarusian interests are at the heart of the operation, in which government and private sector entities in Ukraine, Lithuania, Latvia, Poland, and Germany are commonly targeted.  In addition, Ghostwriter has also been involved in attacks against Belarusian dissidents, media, and individual journalists. 

UNC1151 — active since 2016 — and Ghostwriter once focused on promoting anti-NATO material through phishing, spoofing, and hijacking vulnerable websites. However, from 2020, the groups expanded their operations in attempts to influence Polish politics and to steal sensitive information via credential theft.  UNC1151 also targeted Belarusian media outlets and opposition members ahead of the 2020 election, a disputed landslide win. No attacks have been recorded against Russian or Belarus state entities.  “Additionally, in several cases, individuals targeted by UNC1151 before the 2020 Belarusian election were later arrested by the Belarusian government,” Mandiant says. Many of Ghostwriter’s campaigns are focused on narratives that are anti-NATO. Since mid-2020, the group has spread content accusing NATO of corruption, the military of spreading COVID-19, and of corruption in Lithuanian and Polish politics. The EU has also been criticized in recent campaigns.  “Ghostwriter narratives, particularly those critical of neighboring governments, have been featured on Belarusian state television as fact,” the researchers added. “We are unable to ascertain whether this is part of a coordinated strategy or if it is simply Belarusian state TV promoting narratives that are consistent with regime interest and being unconcerned with accuracy.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More