‘Russians’ Hack News Websites, Sow Anti-NATO Sentiment

Researchers have discovered pro-Russian narratives being spread via hacked news websites, and other shady techniques. The disinformation seems to be aimed at attacking NATO in former-Soviet states.

There’s also the suggestion that the same group is also operating a campaign of fake news for Western audiences. The U.S. is raising concerns about the forthcoming election, and is pointing the finger squarely at Moscow.

But is there anything new here? In today’s SB Blogwatch, we protest like it’s 2009.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: It’s Kate Bush’s birthday.

Negative, Ghostwriter—the CMS is Pwned

What’s the craic? Turn to Jeff Stone—“Anti-NATO disinformation effort uses coronavirus to poke political tensions”:

 The group, dubbed Ghostwriter, has been focused on amplifying anti-Western narratives in Poland, Latvia and Lithuania since 2017. Operatives have planted fabricated diplomatic documents, tried spreading the false narrative that Canadian soldiers had been spreading COVID-19 through Latvia, and leveraged news sites to spread articles that appear to be legitimate, according to a report.

In one case, Ghostwriter personas tried disseminating a fabricated letter [from] Jens Stoltenberg, Secretary General of [NATO], suggesting that Lithuania intended to leave the alliance. … They also falsified quotes … from an interview with the commanding general of the U.S. Army in Europe, complaining about the state of the Polish and Baltic militaries.

The campaign relied on at least 14 inauthentic web personas that have been involved in 15 operations dating back three years. … The tactics closely resemble the work of Operation Secondary Infektion, a suspected Russian effort that’s used more than 300 websites to spread Kremlin talking points on regional blogging websites.

And Andy Greenberg berg—“Hackers Broke Into Real News Sites to Plant Fake Stories”:

 Eastern Europe has faced a broad campaign that takes fake news ops to yet another level [with] a bolder tactic: hacking the content management systems of news websites to post their own stories. They then disseminate their literal fake news with spoofed emails, social media, and even op-eds the propagandists write on other sites that accept user-generated content.

[It] has spread false stories about US military aggression, NATO soldiers spreading coronavirus, NATO planning a full-on invasion of Belarus, and more. … Analysts have found that the news site compromises and the online accounts used to spread links to those fabricated stories, as well as the more traditional creation of fake news on social media, blogs, and websites with an anti-US and anti-NATO bent, all tie back to a distinct set of personas, indicating one unified disinformation effort.

The focus on driving a wedge between NATO and citizens of Eastern Europe hints at possible Russian involvement. … It [wouldn’t] be the first time. … In 2017, US intelligence agencies concluded that Russian hackers breached Qatar’s state news agency and planted a fake news story designed to embarrass the country’s leader and cause a rift with the US.

[The] finding that all of those operations to plant fake news were carried out by a single group comes on the heels of … the GRU’s role in meddling in the 2016 presidential election. … Even if false stories are spotted quickly and taken down, they could have a significant temporary effect on public opinion.

Who discovered it? Lee Foster, Sam Riddell, David Mainor, and Gabby Roncone—“Unknown Actors Leverage Website Compromises … to Push Narratives Aligned With Russian Security Interests”:

 Mandiant Threat Intelligence has tied together several information operations that we assess with moderate confidence comprise part of a broader influence campaign. … Many, though not all of the incidents we suspect to be part of the Ghostwriter campaign, appear to have leveraged website compromises or spoofed email accounts.

This falsified content has been referenced as source material … by at least 14 inauthentic personas posing as locals, journalists and analysts. … We believe the assets and operations discussed in this report are for the first time being collectively tied together and assessed to comprise part of a larger, concerted and ongoing influence campaign.

Promoted Ghostwriter narratives have aligned with Russian security interests. [But] at this time, we do not attribute the Ghostwriter campaign to a specific actor or group. … The narratives have focused heavily on NATO military exercises in the region, including Saber Strike 2018, ANAKONDA 2018, DEFENDER-Europe 20, and Iron Wolf 2019

Multiple Ghostwriter operations appear to have leveraged compromised websites … of news outlets. … In at least some of these cases, the fabricated articles were published using the sites’ content management systems (CMS) after obtaining user credentials.

The Ghostwriter campaign leverages traditional cyber threat activity and information operations tactics to promote narratives intended to chip away at NATO’s cohesion and undermine local support. … This campaign may warrant special attention, especially as elections near.

Wait. Pause. Did you say “since 2017”? magzteel counts on their fingers:

 It’s been going on for three years?

I’d say these Eastern European news sites are getting free content and don’t want it to stop. They might even be getting paid to allow it to happen, while claiming to be victims.

However, a spokesperson is hinting to news outlets that the same Russian disinfo group is already targeting the US, as Eric Tucker and David Klepper report—“US officials: Russia behind spread of virus disinformation”:

 Two Russians who have held senior roles in Moscow’s military intelligence service known as the GRU … Denis Valeryevich Tyurin and Aleksandr Gennadyevich Starunskiy … have been identified as responsible for a disinformation effort meant to reach American and Western audiences. … The information had previously been classified, but officials said it had been downgraded so they could more freely discuss it.

Among the headlines that caught the attention of U.S. officials were “Russia’s Counter COVID-19 Aid to America Advances Case for Détente,” which suggested that Russia had given urgent and substantial aid to the U.S. to fight the pandemic, and “Beijing Believes COVID-19 is a Biological Weapon,” which amplified statements by the Chinese.

Officials described the Russian disinformation as part of an ongoing and persistent effort to advance false narratives and cause confusion. … They went further on Tuesday by singling out a particular information agency that is registered in Russia, InfoRos, and that operates a series of websites — InfoRos.ru, Infobrics.org and OneWorld.press — that have leveraged the pandemic to promote anti-Western objectives and to spread disinformation.

The twin crises buffeting the country and much of the world — the pandemic and race relations and protests — have offered fertile territory for misinformation or outfight falsehoods. … A headline Tuesday on InfoRos.ru about the unrest roiling American cities read “Chaos in the Blue Cities,” accompanying a story that lamented how New Yorkers … “have zero street smarts” [so] must now “adapt to life in high-crime urban areas.”

And here next? SuperKendall thinks so:

 Only a matter of time before the same thing happens in the U.S. with some major media outlet. Only here it would be very likely targeting financial markets.

The effect of this would be made worse by the modern news practice of spreading a story far and wide before even the most basic fact checking is done, so something even slightly believable would have massive legs.

But c’mon. Aren’t we smarter than that? AmiMoJo says oh no:

 People laugh at QAnon but every day we see people acting on that nonsense.

International context? Astghik Grigoryan read the report today:

 [I] read the report today. It is interesting, especially in the context of recent presidential elections in Poland, where an incumbent far right candidate won re-election, and signaled the possibility for warming up strained relations with Russia.

Meanwhile, this Anonymous Coward has had enough of fake news:

 Probably only The Onion counts as a “real” news site these days.

And Finally:

Happy Katemas

The original is 40 years old!

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Tomislav Medak (cc:by)

Featured eBook
7 Must-Read eBooks for Security Professionals

7 Must-Read eBooks for Security Professionals

From AppSec to SecOps, Security Boulevard eBooks deliver in-depth insights into hot topics that matter to the Cybersecurity and DevSecOps professionals. Our staff of writers are the best in the business, with decades of practical and award-winning experience and credentials. We are excited to share our 2019 favorites. Take a look and download some of ... Read More
Security Boulevard

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 418 posts and counting.See all posts by richi