Enlarge / The propagandists have created and spread disinformation since at least March 2017, with a focus on undermining NATO and the US troops in Poland and the Baltics.Petras Malukas | Getty Images

Over the past few years, online disinformation has taken evolutionary leaps forward, with the Internet Research Agency pumping out artificial outrage on social media and hackers leaking documents—both real and fabricated—to suit their narrative. More recently, Eastern Europe has faced a broad campaign that takes fake news ops to yet another level: hacking legitimate news sites to plant fake stories, then hurriedly amplifying them on social media before they're taken down.

On Wednesday, security firm FireEye released a report on a disinformation-focused group it's calling Ghostwriter. The propagandists have created and disseminated disinformation since at least March 2017, with a focus on undermining NATO and the US troops in Poland and the Baltics; they've posted fake content on everything from social media to pro-Russian news websites. In some cases, FireEye says, Ghostwriter has deployed a bolder tactic: hacking the content management systems of news websites to post their own stories. They then disseminate their literal fake news with spoofed emails, social media, and even op-eds the propagandists write on other sites that accept user-generated content.

That hacking campaign, targeting media sites from Poland to Lithuania, has spread false stories about US military aggression, NATO soldiers spreading coronavirus, NATO planning a full-on invasion of Belarus, and more. "They're spreading these stories that NATO is a danger, that they resent the locals, that they're infected, that they're car thieves," says John Hultquist, director of intelligence at FireEye. "And they're pushing these stories out with a variety of means, the most interesting of which is hacking local media websites and planting them. These fictional stories are suddenly bona fide by the sites that they're on, and then they go in and spread the link to the story."

FireEye itself did not conduct incident response analyses on these incidents and concedes that it doesn't know exactly how the hackers are stealing credentials that give them access to the content management systems that allow posting and altering news stories. Neither does it know who is behind the string of website compromises or, for that matter, the larger disinformation campaign that the fake stories are a part of.

But the company's analysts have found that the news site compromises and the online accounts used to spread links to those fabricated stories, as well as the more traditional creation of fake news on social media, blogs, and websites with an anti-US and anti-NATO bent, all tie back to a distinct set of personas, indicating one unified disinformation effort. FireEye's Hultquist points out that the campaign doesn't seem financially motivated, indicating a political or state backer, and notes that the focus on driving a wedge between NATO and citizens of Eastern Europe hints at possible Russian involvement.

This would not be the first time that Russian hackers planted fake news stories; in 2017, US intelligence agencies concluded that Russian hackers breached Qatar's state news agency and planted a fake news story designed to embarrass the country's leader and cause a rift with the US, though US intelligence never confirmed the Kremlin's involvement.

"We can't concretely tie it to Russia at this time, but it's certainly in line with their interests," Hultquist says of the Ghostwriter campaign. "It wouldn't be a surprise to me if this is where the evidence leads us."

  • False news stories planted on the Baltic-focused news sites Baltic Course and Baltic Times claim a US armored vehicle ran over and killed a Lithuanian child (left) and that the first COVID-19 patient in Lithuania is a US soldier who had previously “visited public places and participated in city events with child and youth participation.” Archive.is via Baltic Course and Baltic Times
  • Two false stories planted on the Lithuanian news site Kas Vyksta Kaune, one about a planned NATO invasion of Belarus (left) and another about German soldiers desecrating a Jewish cemetery, including a photoshopped image that shows a military vehicle with a German flag. Archive.is via Kas Vyksta Kaune

Much of the disinformation has focused on Lithuania, as DefenseOne reported late last year. In June 2018, for instance, the English-language, Baltic-focused news site the Baltic Course published a story claiming that a US Stryker armored vehicle had collided with a Lithuanian child on a bicycle, killing the child "on the spot." The same day, the Baltic Course posted a notice to the site that "hackers posted this news about the deceased child, which is FAKE!!! We thank our vigilant Lithuanian readers who reported on our Facebook page about fake news on site. We strengthened security measures."

A few months later, the Lithuanian news site Kas Vyksta Kaune published a story stating that "NATO plans to invade Belarus," showing a map of how NATO forces in Polish and Baltic countries would enter the neighboring country. Kas Vyksta Kaune later acknowledged that the story was fake, and planted by hackers. Someone had used a former employee's credentials to gain access to the CMS. Then in September of last year, another fake story was posted to the site about German NATO soldiers desecrating a Jewish cemetery, including what FireEye describes as a photoshopped image of a military vehicle with a German flag visible behind the cemetery.

More recently, the fake stories havRead More – Source

[contf] [contfnew]


[contfnewc] [contfnewc]