UNC1151 Cyber Operations Linked to Belarusian Government and Ghostwriter Campaign

Severity: High (Score: 72.6)

Sources: www.mandiant.com, cloud.google.com

Summary

Mandiant Threat Intelligence has assessed with high confidence that UNC1151 is linked to the Belarusian government, conducting cyber operations primarily targeting Ukraine, Lithuania, Latvia, Poland, and Germany. The group has been involved in the Ghostwriter influence campaign, which promotes narratives critical of NATO and has targeted dissidents and journalists. Recent operations have expanded to include domestic political disruption in Poland, leveraging compromised social media accounts. Technical evidence suggests that UNC1151 is based in Minsk and has been active since at least 2017, with no overlaps identified with other Russian threat groups. The campaign has utilized various methods, including credential harvesting and malware, but specific details on tools and CVEs remain undisclosed. The current status indicates ongoing monitoring of UNC1151's activities and their geopolitical implications. Key Points: • UNC1151 is assessed to be linked to the Belarusian government with high confidence. • The group conducts operations targeting NATO-critical narratives and dissidents in Eastern Europe. • Recent activities include leveraging compromised social media accounts for political disruption in Poland.

Key Entities

• Apt28 (apt_group)
• Apt29 (apt_group)
• Sandworm (apt_group)
• TEMP.Armageddon (apt_group)
• Turla (apt_group)
• Malware (attack_type)
• Phishing (attack_type)
• Ghostwriter (campaign)
• Ghostwriter Information Operations Campaign (campaign)
• Belarus (country)
• Germany (country)
• Latvia (country)
• Lithuania (country)
• Poland (country)
• balticword.com (domain)
• opednews.com (domain)
• theduran.com (domain)
• Government (industry)
• T1003 - OS Credential Dumping (mitre_attack)