In the wake of the recent cyberattacks surrounding the upcoming German elections, the European Union points fingers at Russia, claiming them to be behind the ongoing disinformation campaign called ‘Ghostwriter.’
Germany is the latest target of the Ghostwriter campaign, responsible for discrediting NATO, smearing Parliament members, along with politicians and other government officials, before the September 26 federal elections.
Ghostwriter: EU points finger at Russia for cyber-attack campaign https://t.co/SqTtpsWaf7
— Threat Intelligence (@threatintel) September 27, 2021
Russia has been attributed to the Ghostwriter program, but the EU just released an official statement saying:
“These malicious cyber-activities are targeting numerous members of Parliaments, government officials, politicians, and members of the press and civil society in the EU by accessing computer systems and personal accounts and stealing data.
“Such activities are unacceptable as they seek to threaten our integrity and security, democratic values and principles, and the core functioning of our democracies.” —EU Council’s Sept. 24 press release.
The EU noted that Ghostwriter had been involved in activities that one cannot expect from a responsible state. Ghostwriter has been involved in stealing login credentials of German officials, as well as spearphishing.
Ghostwriter Campaign History
In 2020, FireEye’s threat intelligence report uncovered an influence campaign that aimed at discrediting NATO. At the time, FireEye also reported that the Ghostwriter campaign has been ongoing since 2017.
Ghostwriter is not just involved in spreading false news on social media platforms as they have been involved in compromising news website CMS (content management systems), and spoofing email accounts to spread fake content, including bogus comments from public figures.
Earlier in September, just days before the elections, German Foreign Ministry spokesperson Andrea Sasse said:
“Cyberwriter has targeted the German parliament at least three times this year, combining conventional cyberattacks with disinformation and influence operations.”
On September 26, Ghostwriter launched another attack at stealing login credentials of German playmakers to pull off identity theft.
Ghostwriter tied to Russia’s Military Intel
Sasse also said that the German government has ‘reliable information’ that ties Ghostwriter’s activities to ‘cyber actors of the Russian state, especially Russia’s GRU military intelligence service.’ GRU or the General Staff Main Intelligence Directorate (GRU) arm of the Russian military intelligence.
Der Spigel reported in March that personal email accounts of seven members of the German federal parliament and 31 members of the state parliament were targeted with fake news about the desecration of a Jewish cemetery.
In April next month, FireEye reported that Ghostwriter had expanded its activities, targeting social media accounts of Polish officials in order to publish content to create domestic political disruption in Poland. FireEye also explained that Ghostwriter has moved from using spoofed emails to stealing account credentials of influential people to post fake news online.
Ghostwriter also uploaded a fake letter from the NATO security general announcing the withdrawal from Lithuania due to the COVID pandemic. The document was uploaded on a blog falsely claimed to be written by a local journalist.
Ghostwriter Impact on German Elections
Joseph Borell Fontelles, Representative of the Union of Foreign Affairs and Security Policy, says that these attacks are attempts to “undermine our democratic institutions and processes.” Berlin has shown concern that Russia could sway public opinion toward Moscow-friendly candidates, spreading disinformation.
“As far as we can tell at the moment, the internal election server wasn’t affected by this attack and as such, there is no threat to the conduct of the federal election,” an Interior Ministry spokesman said.
The European Union has concluded that they are going to investigate the Ghostwriter issue thoroughly and may take further action against Russia if necessary.
This is not the first time Russia has been blamed for cyberattacks, as President Biden also called President Vladimir Putin after the REvil ransomware attacks saying he must “take action.”
Moscow has denied the allegations of any interference from the Western countries, saying “it never has and never will interfere in foreign elections.”