BYBelarusconfidence: 50
GhostwriterGhostwriter
Also known as: UNC1151 · TA445 · PUSHCHA · Storm-0257 · DEV-0257 · UAC-0057 · Ghostwriter
Origin
BY
Known aliases
7
Target sectors
1
Attribution
State-sponsored
Profile
Ghostwriter is a Belarusian-attributed threat actor catalogued by MISP-Galaxy (MISP-Galaxy v341). The group is also tracked as UNC1151, TA445, PUSHCHA (and 3 more). Operational targeting focuses on the Government sector. Documented victim organisations include Germany, Latvia, Lithuania and 2 other named victims. Original record: Ghostwriter is referred as an 'activity set', with various incidents tied together by overlapping behavioral characteristics and personas, rather than as an actor or group in itself.
Aliases· 7
UNC1151TA445PUSHCHAStorm-0257DEV-0257UAC-0057Ghostwriter
Target sectors· 1
Government
Known victims· 5
- Germany
- Latvia
- Lithuania
- Poland
- Ukraine
References
- https://www.fireeye.com/blog/threat-research/2020/07/ghostwriter-influence-campaign.html
- https://twitter.com/hatr/status/1377220336597483520
- https://www.mandiant.com/resources/unc1151-linked-to-belarus-government
- https://www.bleepingcomputer.com/news/security/meta-ukrainian-officials-military-targeted-by-ghostwriter-hackers
- https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag
- https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/
- https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html
- https://socprime.com/blog/uac-0057-attack-detection-a-surge-in-adversary-activity-distributing-picassoloader-and-cobalt-strike-beacon/
Related by meaning· 6
Nearest entities by semantic similarity across the cs-graph corpus.