back to top

    Behind the scenes of the Russian disinformation operation “Ghostwriter” against NATO states

    “There is an operation taking place in cyberspace, which our competitors call ‘Dworczyk emails’ or ‘Dworczyk gate’, and which has been known internationally among professionals for years as the operation “Ghostwriter”. It is an operation carried out by the cyber security forces of countries hostile to NATO, primarily Belarus and the Russian Federation,” said Michał Rachoń in the #Jedziemy programme. The journalist made an insightful analysis of the methods chosen by foreign services to destabilise the countries under attack and polarise society.

    On Monday, some media reported on screenshots published online purporting to show an alleged email correspondence between the head of the Prime Minister’s Office, Michał Dworczyk, from January 2019, in which he allegedly reported on Prime Minister Mateusz Morawiecki’s conversation with the president of the Constitutional Tribunal, Julia Przyłębska.


    “I have never discussed with anyone any judgements of the Court, any rulings of the Constitutional Court,” Przyłębska stated on Tuesday evening.


    When asked about the issue at Wednesday’s press conference in Tarczyn, Prime Minister Mateusz Morawiecki replied:


    “Various editorials fall into the power of Vladimir Putin. Belarusian and Russian services are behind these provocations, behind the hacking of numerous boxes of politicians, including the boxes of opposition politicians.”


    Michał Rachoń analysed the practice of cyber-attacks on Polish politicians in his programme #Jedziemy. He pointed out that NATO decided in 2014 that cyber defence would be “an integral part of collective defence” and that cyber-attacks “could lead to the invocation of Article 5 of the treaty”. Two years later, cyberspace was recognised as an ‘area of military action’.


    “It is in cyberspace that the operation that our competitors call ‘Dworczyk emails’ or ‘Dworczyk gate’ takes place, and which has been known internationally among professionals for years as Operation Ghostwriter. This is an operation conducted by the cyber security forces of NATO enemy states, primarily Belarus and the Russian Federation. The group – secret service officers or their dependents – with the codename ‘Ghostwriter’ stands for the operations that have been conducted against NATO countries since 2016,” explained Michał Rachoń.


    The term ‘Ghostwriter’ began to be applied concerning this operation by Mandiant, a company specialising in cyber security issues. The perpetrators stole data that allowed false, disinformative content to be posted on attacked websites.


    “Among others, the head of EU diplomacy, Josep Borrell, was attacked in this way, as well as – a few days before the Russian invasion – Ukraine’s IT infrastructure. Traces of Operation Ghostwriter in the Polish space were visible much earlier,” stated Rachoń.


    A broad plan drawn up in the Kremlin


    According to Mandiant’s report, this is “part of a broader influence operation, conducted since at least March 2017 and coinciding with the Russian Federation’s objectives”.


    “The operations initially targeted citizens of Lithuania, Latvia and Poland with false narratives using attacked websites, hacked email addresses to disseminate fabricated content, including falsified correspondence from military officials,” the report said.


    Mandiant counted as part of this operation, among others, the attacks carried out in May 2020 against the media of SWS (the Free Speech Zone). The Americans explicitly mentioned (as victims of the Russians) the portal and the deputy head of the ‘GP’ Katarzyna Gójska.


    In May 2020, an article hitting the Polish-American alliance was inserted on (and the website of Telewizja Republika), in which one could read: “The American commander did not spare negative assessments for Polish soldiers. […] no strategic reviews, prayers and the WOT (Territorial Defence forces) will obscure the fact that the combat potential of our military is below criticism’. In the same month, the English-language portal ‘The Duran’ published an ‘interview’, allegedly conducted by Katarzyna Gójska. Her interlocutor was supposed to be US Lieutenant General Christopher G. Cavoli, commander of US forces in Europe, claiming that Poland and the Baltic states were fatally organised militarily.


    As part of this operation, a purported letter from Polish General Ryszard Parafianowicz was posted on the pages of the Academy of Military Art, calling the US troops in Poland ‘occupying’. The letter was a complete fake. Fake letters from, among others, Jens Stoltenberg about the ‘withdrawal of NATO troops from Lithuania’ were also published as part of a disinformation operation.


    Another iteration of this operation was the seizure of journalists’ social media accounts.


    Tomasz Sakiewicz’s Twitter profile was the subject of a cyber-attack. The editor-in-chief of GP lost access to an account (the password was changed), which contained a link to an article published on the portal, run by the recently awarded Promethean Union of Poles in Belarus. This article was also a cyber-provocation. One could learn from it that ‘Poland and Lithuania are calling on NATO to send troops to Belarus’.


    Mandiant also mentions, among other things, high-profile cyber-attacks on the social media accounts of United Right politicians as part of Operation Ghostwriter, e.g. hacks on the profiles of Marek Suski, Minister Marlena Maląg, MP Iwona Michałek. 


    According to the Americans, the Russian-linked hacking group UNC1151 was very likely involved in Operation Ghostwriter. Michałek pointed out that the target of the operation was also supposed to be a Belarusian blogger kidnapped by Lukashenko’s services, Raman Pratasevich. 


    “The hijacking of the plane and detention of this man was the reason for the sanctions imposed on Belarus. The effect of the sanctions on Belarus became a pretext for the country to launch a hybrid attack on the Lithuanian, Latvian and Polish borders as part of an artificial migration wave. This shows that all these actions are part of the same broad plan,” Rachoń said.


    Mandiant notes the phishing attack perpetrated against Pratasevich, co-founder of the Belarusian opposition channel Niechta.


    “After the leak of Dworczyk’s emails, the founder of Niechta, Sciapan Puciła, confirmed the attempted hacking attacks on the channel’s authors and announced that the accounts of the Belarusian House, an organisation of the Belarusian minority in Poland, were also targeted,” the VSquare report indicated.


    Grzegorz Wierzchołowski wrote about hacking activities against representatives of other countries in Gazeta Polska.


    “At the end of February 2021. – it was within the framework of the operation “Ghostwriter” – a widespread disinformation campaign hitting NATO and Poland was carried out on the internet and Lithuania’s social media. According to the messages spread on the Lithuanian web – the Polish Ministry of Defence allegedly used women in the army to provide sexual services to important Polish and foreign officials. The named female officer allegedly provided such services to Polish President Andrzej Duda, Lithuanian Foreign Minister Gabrielius Landsbergis and high-ranking US military officials. The Lithuanian Ministry of Foreign Affairs called this action an “information attack on Polish-Lithuanian relations,” we read in the ‘GP.


    Also in Germany, counterintelligence warned of the use of a ‘hack and leak’ strategy by Russian intelligence services, which involves hacking into a victim’s computer or email/social media account, stealing information and then carrying out a ‘leak’ “in a targeted and manipulated manner”.


    “The special situation report [of the German counterintelligence service], as well as the Interior Ministry’s report, mentions the machinations of Russian cyber forces, which the US security company FireEye describes as ‘Ghostwriter’. For months, hackers have been carrying out phishing attacks on the private accounts of members of the Bundestag and state parliaments,” wrote the Tagesspiegel, indicating that around 80 German politicians have been victims of cyber-attacks.


    The case of Dworczyk


    Rachoń pointed out that the VSquare report accurately described the attack on the mailbox of the head of the Polish Prime Minister’s Office, Michał Dworczyk.


    “The report was written with the help of Polish authors Anna Gielewska and Konrad Szczygiel. They identified and reconstructed the message that was used to attack Dworczyk’s mailbox and around 4,000 other precisely selected people in Poland,” the journalist stated. The fabricated message was redirected to a website behind which were people linked to Operation Ghostwriter.


    “Following the publication of our information, we contacted Marcin Siedlarz, an expert at Mandiant, to further analyse the established data. His conclusions? This message was sent from an IP number used in other confirmed attacks by the UNC1151 group. What does this mean? That we can assume with high probability that the attack on Dvorczyk’s mailbox was carried out by Belarusian hackers,” the report said. 


    Rachoń added that, according to the Recorded Future report, the actions of the Belarusian hackers were directed by Russia and methods characteristic of the actions of Russian services are evident. 


    An updated version of the Mandiant report indicated a modification of Operation Ghostwriter.


    “The narratives of the objectives, tactics, techniques and procedures associated with Operation Ghostwriter have evolved. For example, five attacks between October 2020 and January 2021, in which the social media of Polish politicians and officials were taken over and used to spread narratives clearly intended to discredit the Polish government and strengthen existing internal political divisions,” wrote the report.


    In this context, Michał Rachoń quoted, among others, the entry posted by the authors of Operation Ghostwriter on the Twitter account of MEP Joanna Borowiak, in which she allegedly insulted a participant in the Warsaw Uprising, known for her political commitment. 


    “The cases chosen are highly emotionally and politically charged,” indicated Rachoń.


    The VSquare report indicates that 4,000 targets were identified for the ‘Ghostwriter’ operation in Poland, data was collected on them and their families, and around 700 accounts were analysed, which were taken over and hacked. 


    “The authors draw attention to perhaps the most important aspect of the whole affair. CitizenLAB’s John Scott Railton is quoted in the report: ‘Tainted leaks plant trees of lies in a forest of truthful information to make them credible when juxtaposed with stolen documents that the public will believe to be true. Those behind this operation can easily predict, given the polarization of the dispute in Poland, that the scandal will take on a life of its own. For example, a statement of >>most of the documents and emails are true<< will give fuel to opposition politicians, a statement to the contrary, that some documents have been manipulated, will support the narrative of the ruling party."


    Asked about the hackers’ methods, Janusz Cieszynski of the Prime Minister’s Office said:


    “First of all, it is about weakening Poland, weakening the Polish government. There is a recently published chart that shows the value of the arms actually delivered to Ukraine. Poland in absolute terms is right behind the United States in this ranking. We are one of the world leaders in supporting by supplying armaments. What is the result? An attack on the Polish government. We see similar attacks in Lithuania, where cyber-attacks have significantly increased after the decision to block access to the Kaliningrad region,” replied the Secretary of State at the Chancellery of the Prime Minister.




    More in section