Ghostwriter in the Shell: Expanding on Mandiant’s Attribution of UNC1151 to Belarus

Posted: 18th March 2022
Ghostwriter in the Shell: Expanding on Mandiant’s Attribution of UNC1151 to Belarus


Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

This research expands on Mandiant’s public attribution of UNC1151 and Ghostwriter activity to entities in Belarus and describes Russian military organizational influence in Minsk, substantiating a likely nexus to Russian interests. The time frame for our research spans between March 2017 through the present and employs data from the Recorded Future Platform with open source enrichment. It is intended to provide a foundation for understanding the relationship between the threat actor(s) and the broader influences and drivers for activity, as well as augment existing cybersecurity industry reporting and address established knowledge gaps in the understanding of UNC1151 and Ghostwriter activity. This report will be of interest to cybersecurity professionals who track advanced persistent threat actors as well as those seeking greater information on UNC1151 and Ghostwriter.

Executive Summary

On November 16, 2021, Mandiant analysts presented their recent research findings on activity conducted by the cyber threat actor they have designated as UNC1151 and provided insights into the joint cyber and information operations-enabled campaign designated Ghostwriter. The Mandiant team assessed with high confidence that the Belarusian government was responsible for UNC1151 activity that primarily targets European entities and assessed with moderate confidence that the same entity or entities were largely behind the Ghostwriter information operations activity. Nevertheless, Mandiant research did not rule out the possibility of potential Russian government, or other international, involvement in the campaign.

Thus far, there has been a lack of technical evidence indicating Russian involvement, but this is very likely an intended component of the threat activity. We have found many overlaps in tactics, techniques, and procedures (TTPs) used by UNC1151 and Ghostwriter activity and Russian threat activity groups. Additionally, we note that false flags are prevalent among Russian military advanced persistent threat groups, almost certainly due to their training in the Russian military discipline of maskirovka, or deception. Such activity enables Russian military aligned advanced persistent threat (APT) groups to plan and conduct activity in a way that enables plausible deniability. We also emphasize the widespread presence of the Russian military in Belarus, as well as evidence of other Russian high-level influence and training, which all suggest likely Russian involvement and influence in Belarus.

Key Judgments

  • Recorded Future does not dispute findings presented by Mandiant in November 2021, which suggest technical links between UNC1151 and Ghostwriter operations and the Belarusian government, likely affiliated with the Belarusian military.
  • There is ample evidence to suggest that Russian government entities, specifically entities within the Russian military and academic sector, are likely interacting with the Belarusian government on matters of cybersecurity and information confrontation.
  • We have identified reports of high-level meetings between Russian and Belarusian Security Services officials, which indicates that cooperation between the 2 is likely.
  • It is likely that Russian military entities, potentially including individuals affiliated with Russian Main Intelligence Directorate (GRU/GU)-related APT groups, operated from, supported, or trained individuals and organizations in Belarus; this assessment is based on long-term Russian Ministry of Defense operations in Belarus.
  • The interactions between these entities provide the foundation necessary for Russian state-affiliated military intelligence units to use Belarus as a base of operations or train Belarusian personnel in the disciplines of information warfare and cyber operations.
  • The Ghostwriter campaign, along with the UNC1151 activity, was composed of concurrent cyber activity and information operations; GRU/GU APT groups have consistently engaged in operations that leverage multiple aspects of the information domain. These groups highly likely have the capability and intent to conduct aspects of the Ghostwriter campaign and UNC1151 activity.
  • Russian GRU/GU APT groups have consistently employed proxies in past operations or engaged in false flag operations to mask their involvement in cyber intrusions; conducting Ghostwriter/UNC1151 activity from Belarusian territory, or involving Belarusian forces in the effort, would likely offer a similar approach to masking Russian involvement.
  • The relevance of this research, and the importance of describing the Russian government involvement in Belarusian Ghostwriter and UNC1151 threat activity, is that it reveals how the Russian military can operate from foreign territory or leverage proxies to create challenges to attribution. The synthesis of technical and contextual data, enabled by the Recorded Future platform, can alleviate challenges to attribution.

Editor’s Note: This post was an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.