{"id":16788,"date":"2021-07-16T04:36:52","date_gmt":"2021-07-16T04:36:52","guid":{"rendered":"https:\/\/informnapalm.org\/en\/?p=16788"},"modified":"2021-07-16T04:36:52","modified_gmt":"2021-07-16T04:36:52","slug":"info-attack-targeting-lithuania-bears-hallmarks-of-operation-ghostwriter","status":"publish","type":"post","link":"https:\/\/informnapalm.org\/en\/info-attack-targeting-lithuania-bears-hallmarks-of-operation-ghostwriter\/","title":{"rendered":"Info attack targeting Lithuania bears hallmarks of Operation Ghostwriter"},"content":{"rendered":"
\n
\n
\n
\n

The coordinated information attack attempted to fundraise for Sviatlana Tsikhanouskaya\u2019s inauguration as the new President of Belarus. We are presenting @DFRLab<\/a><\/span> research <\/em><\/strong>for InformNapalm readers. Research\u00a0<\/em><\/strong>made by Vaidas Sald\u017ei\u016bnas, Nerijus Maliukevi\u010dius, and Lukas Andriukaitis<\/strong>.<\/em><\/strong><\/p>\n

\n
\n
\n
\n
\n
\n
\u00a0A coordinated information attack involving hacked websites and social media accounts struck Lithuania in late April 2021. A number of small Lithuanian websites were hacked to display messages asking for money to fund the inauguration of Sviatlana Tsikhanouskaya, the Belarusian opposition leader. In addition, several social media accounts were hacked using phishing techniques, according to journalists from the outlet\u00a0<\/span>Delfi<\/em><\/a>. Messages shared by these accounts included bank account numbers that traced back to a Polish hospice in Lithuania.<\/span><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n
\n
\n

This attack bore several tactical hallmarks of a sophisticated influence campaign identified in July 2020 by the cybersecurity company FireEye, codenamed \u201cGhostwriter<\/a>.\u201d Ghostwriter started in 2017 and focused on Lithuania, Latvia, and Poland, targeting NATO troops in the region. On April 28, 2021, FireEye updated the report to indicate an expansion of narratives and targeted audiences and by attributing with high confidence some components of Ghostwriter\u2019s influence activity to UNC1151, a suspected state-sponsored\u00a0cyber espionage actor<\/a>. While there was no conclusive attribution to a particular state actor, Ghostwriter generally pushes narratives aligned with Russia\u2019s security interests.<\/p>\n

The timing of the attack on Lithuanian targets \u2014 it first surfaced on April 29, just one day after FireEye updated its assessment of Ghostwriter\u2019s influence activity \u2014 suggested that this may be the latest incident.<\/p>\n

Operation Ghostwriter<\/strong><\/h2>\n

On April 29, 2021, one day after the release of the Ghostwriter update, the Lithuanian newspaper\u00a0Valstie\u010di\u0173 \u017einios<\/em>\u2019s website Valstietis.lt was hacked and a fake article inserted into its news feed. One more hack appeared the next day, on April 30, with the placement of almost identical fake information. This information was removed from the website in a few hours, but still appears on a cached copy of the site accessible by Google Search.<\/p>\n<\/div>\n<\/div>\n

\n
\n
\n
\n
\n
\"\"<\/div>\n<\/div>
Screenshots of Valstietis.lt hacks (April 30 \u2014 top left; April 29 \u2014 right). The Google search still returns the search with the fake message (bottom left). (Source:\u00a0<\/em>Valstietis.lt<\/em><\/a>)<\/em><\/em>\u00a0<\/figcaption><\/figure>\n<\/div>\n<\/div>\n<\/div>\n
\n
\n

The fake message (with clunky Russian syntax and grammar) was accompanied by a video and alleged that Lithuanians, in solidarity with Belarusian opposition activist Pavel Latushko, should organize a presidential inauguration ceremony for Sviatlana Tsikhanouskaya. Both targets of this disinformation attack are Belarusian activists living in exile. Tsikhanouskaya is the leader of the Belarusian opposition and ex-candidate in the presidential election of August 2020, in which incumbent Alyaksandr Lukashenka claimed victory despite reports of\u00a0electoral fraud<\/a>\u00a0and ensuing pro-democracy protests. She sought refuge in Lithuania after an intimidation campaign and attempted arrest by the Belarusian security services. In April 2021, Pavel Latushko, a former diplomat, announced plans for his own party and called for a new wave of protests in Belarus against the Lukashenka regime.<\/p>\n

This is not the first time Valstietis.lt has been hacked. During the previous attack, a fake article alleging the pollution of the Neris River with nuclear waste during NATO military drills, was\u00a0inserted<\/a>\u00a0into the newsfeed. Regional media outlets with poor or no cybersecurity capabilities have become easy targets for hacking and disinformation\u00a0campaigns<\/a>\u00a0recently in Lithuania.<\/p>\n

This time the attackers used a novel spin in their fake article: people were invited to donate money for the alleged inauguration ceremony and directed to specific bank accounts for financial transfers, presenting the targeted Belarusian activists as financial fraudsters. Attackers used the bank accounts of the Hospice of Blessed Priest Mykolas Sopochka, well-known Polish charity organization in Vilnius. On May 7, 2021, the hospice\u00a0denied<\/a>\u00a0having anything to do with this information campaign.<\/p>\n<\/div>\n<\/div>\n

\n
\n
\n
\n
\n
\"\"<\/div>\n<\/div>
Hospice uses the same bank accounts for its charity work. Account information has been redacted. (Source:\u00a0klubygp.pl<\/a>\/archive<\/a>, top left;\u00a0@lnk.lt<\/a>\/archive<\/a>, bottom left;\u00a0hospisas.lt<\/a>\/archive<\/a>, right)<\/em><\/figcaption><\/figure>\n<\/div>\n<\/div>\n<\/div>\n
\n
\n

The Ghostwriter update by FireEye emphasized that recent disinformation operations have heavily targeted Polish organizations and public figures. It is no surprise, then, that a recent iteration may have taken advantage of the complicated history of Lithuanian-Polish relations. As security studies professor Thomas Rid\u00a0pointed out,\u00a0<\/a>\u201cThe goal of disinformation is to engineer division by putting emotion over analysis, division over unity, conflict over consensus, the particular over the universal.\u201d The recent attacks in Lithuania and Poland follow this \u201cdivide and conquer\u201d pattern.<\/p>\n

Ghostwriter strikes again<\/strong><\/h2>\n

Open-source clues suggested that preparations for the attack on Valstietis.lt started at least two days earlier. On April 27, the YouTube channel Mi\u0161ko broliai (\u201cForest brothers\u201d) was created. The YouTube channel\u2019s name refers to Lithuanian resistance fighters against the Soviet occupation, invoking patriotic themes. A few videos were posted on this channel over the next few days.<\/p>\n<\/div>\n<\/div>\n

\n
\n
\n
\n
\n
\"\"<\/div>\n<\/div>
Screenshot of YouTube channel\u00a0<\/em>Mi\u0161ko broliai. (Source:\u00a0<\/em>@Mi\u0161ko Broliai<\/em><\/a>\/<\/em>Archive<\/em><\/a>)<\/em><\/em>\u00a0<\/figcaption><\/figure>\n<\/div>\n<\/div>\n<\/div>\n
\n
\n

The videos focused on history, contemporary politics, and protests in neighboring Belarus. They were designed to attract some viewership and to mimic normal online behavior of an ordinary YouTube streamer. On April 29, the day of the attack, the hack that later appeared on Valstietis.lt was posted on YouTube by this channel.<\/p>\n

\n
\n
\"\"<\/div>\n<\/div>
Screenshot of the video from YouTube channel Mi\u0161ko broliai.<\/em>\u00a0(Source:\u00a0<\/em>@Mi\u0161ko Broliai<\/em><\/a>\/<\/em>Archive<\/em><\/a>)<\/em><\/em>\u00a0<\/figcaption><\/figure>\n

The video contained excerpts from the inaugurations of French President Emmanuel Macron and Lithuanian President Gitanas Naus\u0117da. The Vienna Waltz by Johann Strauss was used for the background music alongside the message, \u201cWe must organize a festive inauguration of Sviatlana Tsikhanouskaya.\u201d<\/p>\n

When the fake article with the video was inserted into the Valstietis.lt site, the cyber component of this operation was already in full swing: multiple internet sites had been attacked via security gaps in their web maintenance service,\u00a0Synergy Effect<\/a>.<\/p>\n<\/div>\n<\/div>\n

\n
\n
\n
\n
\n
\"\"<\/div>\n<\/div>
Screenshots of multiple attacks on Lithuanian internet sites. <\/em>(Source:\u00a0Jusunamas.lt<\/a>\/Archive<\/a>, left;\u00a0Drutsraigtis.lt<\/a>\/Archive<\/a>;\u00a0KaratePuma.lt<\/a>, right)<\/em><\/em>\u00a0<\/figcaption><\/figure>\n<\/div>\n<\/div>\n<\/div>\n
\n
\n

Although this recent attack targeted Belarusian opposition leaders in Lithuania, it follows the pattern of previous attacks against NATO troops, extensively described by FireEye in its report on Operation Ghostwriter. One important feature of this disinformation attack stands out: the way the attackers intended to distribute disinformation across the social media ecosystem.<\/p>\n

The perpetrators decided to use a \u201csuper spreader\u201d technique. First, they hijacked the Twitter and Facebook accounts of a key member of the patriotic organization \u201cLithuanian Freedom Fighters Union.\u201d Second, they used the accounts for spreading disinformation at scale: these messages purposefully tagged major Lithuanian media outlets, politicians, foreign embassies, and other key social media accounts to get their attention.<\/p>\n<\/div>\n<\/div>\n

\n
\n
\n
\n
\n
\"\"<\/div>\n<\/div>
Screenshots of activity on hijacked Twitter (left) and Facebook (right) accounts. (Source: Meltwater Explore, left;\u00a0<\/em>Facebook<\/em><\/a>\/<\/em>archive<\/em><\/a>, right)<\/em><\/em>\u00a0<\/figcaption><\/figure>\n<\/div>\n<\/div>\n<\/div>\n
\n
\n

This account holder told\u00a0Delfi\u00a0<\/em>(the largest Lithuanian media outlet that first\u00a0reported<\/a>\u00a0on this and similar disinformation attacks in the past) that his social media accounts were compromised. He then realized that he was unable to access his accounts for several days (coinciding with the period of the disinformation attack). He told journalists that he personally did not spread the disinformation, and this was done by a malicious actor from his account, after he unwittingly disclosed his passwords by replying to a phishing email.<\/p>\n

His Twitter account was registered in 2012, but until April 30 the account was empty and did not contain a single tweet. On April 30, though, the account published 163 Twitter replies to different posts by Lithuanian and international media, political parties, prominent political and public figures to amplify the disinformation message in the Valstietis.lt hack and the YouTube video. On Facebook, this account holder happened to befriend a large number of decision makers, including the Lithuanian Prime Minister and Ministers of Foreign Affairs, National Defense, Finance, Social Security and Labor, as well as key members of parliament. Doing so would allow the operator of the account to reach a much larger and more consequential audience.<\/p>\n

This technique follows the patterns of Operation Ghostwriter, as Lee Foster, senior manager of the information operations analysis team at FireEye, outlined: \u201cWhat\u2019s interesting on the social media side here is the compromise of legitimate accounts to do this, rather than impersonating the accounts, because then you\u2019ve got ready access to the followers of that account, and you have the credibility of the content that\u2019s being\u00a0pushed by that account<\/a>.\u201d<\/p>\n

Although this recent attack was limited in terms of damage done, it once again showed that Operation Ghostwriter is expanding its narratives and targeted audiences, its cyber component becoming more and more complex. The use of super spreader tactics might be an emerging trend to watch for in social networks.<\/p>\n<\/div>\n<\/div>\n<\/section>\n

\n
\n
\n

Vaidas Sald\u017ei\u016bnas<\/em><\/strong><\/a>\u00a0<\/em><\/strong>is a defense journalist at Delfi.lt.<\/em><\/p>\n

Nerijus Maliukevi\u010dius<\/em><\/strong><\/a>\u00a0is a researcher of information warfare and propaganda at the Institute of International Relations and Political Science, Vilnius University.<\/em><\/p>\n

Lukas Andriukaitis<\/em><\/strong><\/a>\u00a0<\/em><\/strong>is an Associate Director with the Digital Forensic Research Lab.<\/em><\/p>\n

\n

Cover photo illustration – picture used in coordinated information attack. Photo<\/span> taken from one of the hacked sites rppc.lt<\/em><\/p>\n

\n

Read more from InformNapalm:<\/h2>\n