Mandiant is now part of Google Cloud. Learn More.
Explore our multi-vendor XDR platform, delivering Mandiant products and integrating with a range of leading security operations technology.
Explore the platform
Solve your toughest cyber security challenges with combinations of products and services.
Mitigate threats, reduce risk, and get back to business with the help of leading experts.
Learn more
View all services (47)
Mandiant specializes in cyber threat intelligence, offering products, services, and more to support our mission to defend against cyber crime.
Get the latest insights from cyber security experts at the frontlines of threat intelligence and incident response
M-Trends 2023 report
mWISE
Learn more about us and our mission to help organizations defend against cyber crime.
Learn more
Start for Free
Mandiant Threat Intelligence assesses with high confidence that UNC1151 is linked to the Belarusian government. This assessment is based on technical and geopolitical indicators. In April 2021, we released a public report detailing our high-confidence assessment that UNC1151 provides technical support to the Ghostwriter information operations campaign; this assessment, along with observed Ghostwriter narratives consistent with Belarusian government interests, causes us to assess with moderate confidence that Belarus is also likely at least partially responsible for the Ghostwriter campaign. We cannot rule out Russian contributions to either UNC1151 or Ghostwriter. However, at this time, we have not uncovered direct evidence of such contributions.
UNC1151 has targeted a wide variety of governmental and private sector entities, with a focus in Ukraine, Lithuania, Latvia, Poland, and Germany. The targeting also includes Belarusian dissidents, media entities, and journalists. While there are multiple intelligence services that are interested in these countries, the specific targeting scope is most consistent with Belarusian interests. In addition to the targeting scope, UNC1151 operations have focused on obtaining confidential information and no monetization efforts have been uncovered.
While the majority of UNC1151 operations have targeted countries neighboring Belarus, a small minority have been conducted against governments with no obvious connection to Belarus. There are multiple possible explanations for this targeting, including incidental inclusion on diplomatic mailing lists, or non-public bilateral issues. However, the targeting that does not align directly to Belarusian interests could indicate that UNC1151 also supports additional priorities. These out-of-scope operations mainly took place between 2016 and 2019.
Sensitively sourced technical evidence indicates that the operators behind UNC1151 are likely located in Minsk, Belarus. This assessment is based on multiple sources that have linked this activity to individuals located in Belarus. In addition, separate technical evidence supports a link between the operators behind UNC1151 and the Belarusian military.
Mandiant has tracked UNC1151 since 2017, and during this time there have been no overlaps with other tracked Russian groups, including APT28, APT29, Turla, Sandworm, and TEMP.Armageddon. While we cannot rule out Russian support for or involvement in UNC1151 or Ghostwriter operations, the TTPs used by UNC1151 are unique to this group.
Pre-2020 Ghostwriter information operations were primarily anti-NATO, but since mid-2020 they have focused on Belarus’ neighbors.
From the earliest observed Ghostwriter operation until mid-2020, the Ghostwriter campaign primarily promoted anti-NATO narratives that appeared intended to undercut regional security cooperation in operations targeting Lithuania, Latvia, and Poland. To this end, observed operations have disseminated disinformation portraying the foreign troop presence in the region as a threat to residents and alleging that the costs of NATO membership are a detriment to local populations. The seeming intended effect of these narratives—to erode regional support for NATO—can serve both Russian and Belarusian interests. We note, however, that the campaign has specifically targeted audiences in countries bordering Belarus, whereas Russia has long promoted anti-NATO narratives both in the region and further afield. Specifically, observed Ghostwriter operations, in this time period and through the present, have almost completely excluded Estonia, which notably does not border Belarus but is a Baltic State, NATO member, and a relevant component of any concerns about NATO’s security posture on its eastern flank.
Since the disputed August 2020 elections in Belarus, Ghostwriter operations have been more distinctly aligned with Minsk’s interests. Promoted narratives have focused on alleging corruption or scandal within the ruling parties in Lithuania and Poland, attempting to create tensions in Polish-Lithuanian relations, and discrediting the Belarusian opposition. Both governments have strongly condemned the Lukashenka regime’s crackdown on demonstrations and extraordinary efforts to stay in power. In addition, several Ghostwriter operations have promoted narratives specific to Belarus, including narratives critical of alleged Polish government support for Belarusian dissidents. It is possible that operations seemingly intended to undermine local confidence in the Lithuanian and Polish governments are a response to what Belarus has claimed to be their intervention in Belarusian domestic affairs. Likewise, operations seemingly intended to create tensions between the two nations may be an attempt to undercut their cooperation, which has in part characterized their responses to Belarus-related issues.
Ghostwriter narratives, particularly those critical of neighboring governments, have been featured on Belarusian state television as fact. We are unable to ascertain whether this is part of a coordinated strategy or if it is simply Belarusian state TV promoting narratives that are consistent with regime interest and being unconcerned with accuracy. Such television programs suggest that some Ghostwriter operations’ promoted narratives are particularly relevant to the ongoing internal political conversation in Belarus, and it raises the possibility that discrediting rival governments and Belarusian opposition figures in the eyes of the Belarusian public may be an additional goal of the Ghostwriter campaign.
The sources of written content for Ghostwriter operations and of the malware used by UNC1151 remain uncertain. The creation of content for information operations, especially in multiple languages, requires a distinct skillset from conducting computer intrusions. Likewise, the development of custom malware requires software engineering skills that are distinct from those required to set up a credential theft operation. It is possible that the individuals supporting these functions are part of the same organization assessed to have a nexus to Belarus; however, the uncertainty and distinct skillsets required for different aspects of this activity creates a possibility for the involvement of additional organizations or countries.
Mandiant assesses with high confidence that UNC1151 is linked to the Belarusian government and with moderate confidence is linked to the Belarusian military. This is based on the below factors:
Mandiant assesses with high confidence that Ghostwriter information operations are conducted in support of the Belarusian government and with moderate confidence that they are conducted with Belarusian sponsorship.
Mandiant has examined the possibility of Russian participation in UNC1151 and Ghostwriter operations, but we do not have sufficient evidence to confirm or refute a role in these activities. Mandiant has seen high level TTP overlaps with Russian operations and much of the targeting and information operations are consistent with Russian goals. Given the close ties between the governments, collaboration is plausible; however, we have not uncovered direct evidence of Russian government involvement.
Belarusian sponsorship of UNC1151 and the links to the Ghostwriter operations showcases the accessibility and deniability of provocative information operations. While the cyber espionage operation was regionally focused and primarily leveraged an open source platform to steal credentials, it was able to support impactful information operations. These types of cyber operations are a one of many tools that governments use to accomplish their goals, and do not exist in a vacuum, but are leveraged alongside other types of operations.
Link to RSS feed
Determine your cyber defense effectiveness
Validated by ESG
Take The Assessment
Mandiant experts are ready to answer your questions.
REPORT
are managing the evolving threat landscape
© Copyright 2023 Mandiant. All rights reserved.