The Russian connection“Ghostwriter” Influence Campaign: Fabricated Content Pushes Narratives Aligned With Russian Security Interests

Published 31 July 2020

FireEye says that Mandiant Threat Intelligence has tied together several information operations which FireEye assess with moderate confidence to comprise part of a broader influence campaign—ongoing since at least March 2017—aligned with Russian security interests. FireEye has dubbed this campaign “Ghostwriter.”

FireEye says that Mandiant Threat Intelligence has tied together several information operations which FireEye assess with moderate confidence to comprise part of a broader influence campaign—ongoing since at least March 2017—aligned with Russian security interests.

Lee Foster, Sam Riddell, David Mainor, and Gabby Roncone write in a FireEye blog post that the operations have primarily targeted audiences in Lithuania, Latvia, and Poland with narratives critical of the North Atlantic Treaty Organization’s (NATO) presence in Eastern Europe, occasionally leveraging other themes such as anti-U.S. and COVID-19-related narratives as part of this broader anti-NATO agenda. FireEye has dubbed this campaign “Ghostwriter.”

Many, though not all of the incidents FireEye suspects to be part of the Ghostwriter campaign, appear to have leveraged website compromises or spoofed email accounts to disseminate fabricated content, including falsified news articles, quotes, correspondence, and other documents designed to appear as coming from military officials and political figures in the target countries.

This falsified content has been referenced as source material in articles and op-eds authored by at least fourteen inauthentic personas posing as locals, journalists and analysts within those countries. These articles and op-eds, primarily written in English, have been consistently published to a core set of third-party websites that appear to accept user-submitted content, most notably OpEdNews.com, BalticWord.com, and the pro-Russian site TheDuran.com, among others, as well as to suspected Ghostwriter-affiliated blogs.

Some of these incidents and personas have received public attention from researchers, foreign news outlets, or government entities in Lithuania and Poland, but have not been tied to a broader activity set. Others have received little attention and remain relatively obscure. Mandiant Threat Intelligence has independently discovered several Ghostwriter personas and identified additional incidents involving some of those personas previously exposed.

“We believe the assets and operations discussed in this report are for the first time being collectively tied together and assessed to comprise part of a larger, concerted and ongoing influence campaign,” the FireEye analysts say.