Home News “Ghostwriter” Uses Fabricated News as an Attack Vector

“Ghostwriter” Uses Fabricated News as an Attack Vector

ProxyShell Vulnerabilities

Security experts from FireEye discovered a fake news campaign spreading false stories, quotes, and other documents related to the North Atlantic Treaty Organization (NATO).  The campaign is targeted at people in Lithuania, Poland, and Latvia.

The disinformation campaign, dubbed as “Ghostwriter” has been active since 2017, wherein attackers compromised real news websites to post anti-U.S. and COVID-19-themed  falsified narratives. In addition, the attackers also mixed black SEO, Google Sites, and spam pages to trick the victims into clicking malicious URLs. While it is unknown who is behind this campaign, FireEye researchers stated that the campaign is aligned with Russian security interests.

“Many, though not all of the incidents we suspect to be part of the Ghostwriter campaign, appear to have leveraged website compromises or spoofed email accounts to disseminate fabricated content, including falsified news articles, quotes, correspondence and other documents designed to appear as coming from military officials and political figures in the target countries,” FireEye researchers said in a report.

Disinformation Campaign

The Ghostwriter operators have been using compromised websites and spoofed email accounts to distribute fake content, including fabricated correspondence from military officials. “For example, a quote falsely attributed to the commander of the NATO eFP Battle Group was used to push a narrative that Canadian soldiers stationed in Latvia had been diagnosed with COVID-19, stating: “Yes, 21 soldiers have tested positive for the virus. We have taken the necessary security measures, but not everyone has the same immunity. All necessary measures are being taken. The soldiers are isolated,” the report said.

In another case, the hackers posted a fake letter pretending to be from NATO Secretary General Jens Stoltenberg, carrying news about Atlantic partnership planning to withdraw from Lithuania in response to the COVID-19 pandemic.

The attackers exploited the compromised content management systems (CMS) of multiple news agencies and replaced original articles with fake news.  “Multiple indicators suggest that at least 14 suspected Ghostwriter personas have published articles promoting narratives corresponding with at least 15 suspected Ghostwriter operations since 2017. We have observed at least six of these personas leveraged in multiple Ghostwriter operations. Many claim to be locals, journalists, or editors of the target countries in biographies they have listed on sites to which they contribute content,” the researchers added.

Identifying fake news has become a challenge for users and organizations. And unfortunately, there is no proper method, as of now, to stop the spread of fake news. However, implementation of appropriate legal regulations may curb threat actors from spreading fake news, while at the same time, readers also should be vigilant to identify/report such stories.