Over the past few years, online disinformation has taken evolutionary leaps forward, with the Internet Research Agency pumping out artificial outrage on social media and hackers leaking documents—both real and fabricated—to suit their narrative. More recently, Eastern Europe has faced a broad campaign that takes fake news ops to yet another level: hacking legitimate news sites to plant fake stories, then hurriedly amplifying them on social media before they’re taken down.
On Wednesday, security firm FireEye released a report on a disinformation-focused group it’s calling Ghostwriter. The propagandists have created and disseminated disinformation since at least March 2017, with a focus on undermining NATO and the US troops in Poland and the Baltics; they’ve posted fake content on everything from social media to pro-Russian news websites. In some cases, FireEye says, Ghostwriter has deployed a bolder tactic: hacking the content management systems of news websites to post their own stories. They then disseminate their literal fake news with spoofed emails, social media, and even op-eds the propagandists write on other sites that accept user-generated content.
That hacking campaign, targeting media sites from Poland to Lithuania, has spread false stories about US military aggression, NATO soldiers spreading coronavirus, NATO planning a full-on invasion of Belarus, and more. “They’re spreading these stories that NATO is a danger, that they resent the locals, that they’re infected, that they’re car thieves,” says John Hultquist, director of intelligence at FireEye. “And they’re pushing these stories out with a variety of means, the most interesting of which is hacking local media websites and planting them. These fictional stories are suddenly bona fide by the sites that they’re on, and then they go in and spread the link to the story.”
FireEye itself did not conduct incident response analyses on these incidents and concedes that it doesn't know exactly how the hackers are stealing credentials that give them access to the content management systems that allow posting and altering news stories. Nor does it know who is behind the string of website compromises, or for that matter the larger disinformation campaign that the fake stories are a part of.
But the company’s analysts have found that the news site compromises and the online accounts used to spread links to those fabricated stories, as well as the more traditional creation of fake news on social media, blogs, and websites with an anti-US and anti-NATO bent, all tie back to a distinct set of personas, indicating one unified disinformation effort. FireEye’s Hultquist points out that the campaign doesn’t seem financially motivated, indicating a political or state backer, and notes that the focus on driving a wedge between NATO and citizens of Eastern Europe hints at possible Russian involvement.
Nor would it be the first time that Russian hackers planted fake news stories; in 2017, US intelligence agencies concluded that Russian hackers breached Qatar’s state news agency and planted a fake news story designed to embarrass the country’s leader and cause a rift with the US, though US intelligence never confirmed the Kremlin’s involvement.
"We can’t concretely tie it to Russia at this time, but it’s certainly in line with their interests," Hultquist says of the Ghostwriter campaign. "It wouldn’t be a surprise to me if this is where the evidence leads us."
Much of the disinformation has focused on Lithuania, as DefenseOne reported late last year. In June 2018, for instance, the English-language, Baltic-focused news site the Baltic Course published a story claiming that a US Stryker armored vehicle had collided with a Lithuanian child on a bicycle, killing the child "on the spot." The same day, the Baltic Course posted a notice to the site that "hackers posted this news about the deceased child, which is FAKE!!! We thank our vigilant Lithuanian readers who reported on our Facebook page about fake new on site. We strengthened security measures."
A few months later, the Lithuanian news site Kas Vyksta Kaune published a story stating that "NATO plans to invade Belarus," showing a map of how NATO forces in Polish and Baltic countries would enter the neighboring country. Kas Vyksta Kaune later acknowledged that the story was fake, and planted by hackers. Someone had used a former employee’s credentials to gain access to the CMS. Then in September of last year, another fake story was posted to the site about German NATO soldiers desecrating a Jewish cemetery, including what FireEye describes as a photoshopped image of a military vehicle with a German flag visible behind the cemetery.
More recently, the fake stories have attempted to exploit fears of Covid-19. One story posted to both Kas Vyksta Kaune and the English-language Baltic Times in January claimed that the first Covid-19 case in Lithuania was a US soldier who was hospitalized in critical condition, but only after he "visited public places and participated in city events with child and youth participation," according to the Baltic Times version of the story.
In April and May of this year, the focus turned toward Poland: A fake story was posted across several Polish news sites in which a US official disparaged local Polish forces as disorganized and incompetent. This time the campaign went even beyond news sites. A fake letter from a Polish military official was posted to the Polish Military Academy website, calling on the Polish military to cease military exercises with the US, decrying the US "occupation" of Poland, and calling the exercises an "obvious provocation" of Russia. The Polish government quickly called out the letter as fake.
FireEye's finding that all of those operations to plant fake news were carried out by a single group comes on the heels of a report from The New York Times that Russia's military intelligence agency, the GRU, has been coordinating the publication of disinformation on sites like InfoRos, OneWorld.press, and GlobalResearch.ca. US intelligence officials speaking to the Times said that disinformation campaign, which included false reports that Covid-19 originated in the US, was specifically the work of the GRU's "psychological warfare unit," known as Unit 54777.
Given the GRU's role in meddling in the 2016 presidential election, including its hack-and-leak operations against the Democratic National Committee and the Clinton Campaign, any GRU role in more recent disinformation raises fears that it may be targeting the 2020 election as well. While FireEye has made no such claims that the Ghostwriter news site compromises were the work of the GRU, Hultquist argues that the incidents in Poland and the Baltics should nonetheless serve as a warning. Even if false stories are spotted quickly and taken down, they could have a significant temporary effect on public opinion, he warns.
"My concern is that we could see this sort of compromised media tactic in the West and even during the election. It’s a perfect sort of last-minute tactic," Hultquist says. "Once the genie is out of the bottle, can you get it back in? Can you make enough people understand this is some foreign power that’s pushed this story? It may be too late."