The Belarusian government-linked GhostWriter disinformation campaign tried in mid-June to push a rumor that Ukrainian male refugees in Poland would be identified and deported back to Ukraine for military service using fabricated government correspondence, researchers with cybersecurity firm Mandiant said Thursday.
Two hacktivist personas amplified the message, the researchers said in the findings first shared with CyberScoop, even as there’s no evidence linking the personas to Ghostwriter or any evidence suggesting who is behind the personas.
“Though we have attributed Ghostwriter to Belarus, we have always been mindful that they are not operating in a vacuum and have not ruled out the possibility that this activity involves collaborators in Russia,” said John Hultquist, Mandiant’s vice president of intelligence analysis. “We are increasingly seeing coordination and other cooperative activity between the actors who carry out information operations which may be incidental but may also expose an organization that’s opaque to us.”
Beregini, an established pro-Russian hacktivist group, posted a document to its Telegram channel on June 16 claiming that Ukrainian Foreign Minister Dmytro Kuleba was initiating a process with Polish officials to return male Ukrainian refugees to Ukraine to be deployed to the frontlines. The post included an apparently fake document from Ukrainian Minister of Defense Oleksiy Reznikov to Kuleba summarizing the situation.
Under the document, the group posted a message that read that Ukrainian refugees “have an incredible chance to return home soon, and no longer in women’s clothing and without bribes to our border guards,” according to a Google translation of the post, which remains visible. “It is possible that Poland is ready to commit unthinkable violations of international law, as it has its own views of the western territories of Ukraine.”
The next day, June 17, a separate pro-Russian hacktivist persona, JokerDPR, posted a message to its Telegram channel claiming to have obtained a document showing Kuleba asking Polish officials to assist in deportations of Ukrainian male refugees.
“My hackers intercepted an interesting document,” the message to the channel’s nearly 97,000 subscribers read, as it claimed the document showed that Ukrainian male refugees aged 18 to 60 would be sent “to the front,” according to a Google translation.
“Judging by the decisions of the clown and his team, the safest place for a Ukrainian aged 18 to 60 will soon be a prisoner in the DNR. Ah-ha-ha-ha-ha-ha-ha-ha ….” the message reads. “DNR” is the acronym for the Donetsk People’s Republic, one of the Russian-occupied regions of eastern Ukraine.
The same day, a previously dormant social media account belonging to a mid-level Polish politician posted images purporting to show multiple pieces of official correspondence detailing the plans, and noting that the operation would begin June 27.
The JokerDPR account then promoted screenshots of the politician’s social media post, presenting it as evidence of the plot.
On June 20, the researchers note, a Polish government agency published a statement identifying at least one of the letters as fake. The agency also said the fake letter had been disseminated through an undisclosed number of emails, but didn’t share any additional details.
“Please be advised that this letter is forged, and the information itself is an example of fake news and an attempt to disinform,” the statement said, according to a Google translation.
Multiple Russian news outlets reported the narrative as fact, the Mandiant researchers said, although there is no indication that the media outlets were part of the core operation.
“However, we note that this suggests the narrative’s relevance to Russian audiences, which may indicate that it was at least in part designed to influence Russian audiences,” said the researchers.
In November 2021 Mandiant published findings identifying GhostWriter as the work of the Belarusian government, which itself is closely aligned with Russia. European investigators had previously suggested the campaign was a Russian effort.
GhostWriter has been active in the region in the wake of Russia’s invasion, targeting NATO governments and officials tasked with managing refugee logistics, for instance. In May, Mandiant published findings that exposed what appeared to be a GhostWriter campaign pushing a phony narrative that Polish criminals were harvesting Ukrainian refugee body parts to illegally traffic in the European Union.
The campaign’s track record of leveraging real and concocted social media accounts to push leaked and sometimes modified official-looking documents, sometimes via email, is part of the basis to conclude that the June 16 and 17 posts are part of a GhostWriter operation, the Mandiant researchers said.
The support from the JokerDNR and Beregini hacktivist personas, which are distinct from GhostWriter, is an interesting development, the researchers said, showing possible coordination.
“While cooperation or coordination between threat actors is not by itself uncommon, and we continue to view the Ghostwriter campaign, JokerDNR, and Beregini as distinct activity sets, this nonetheless represents an expansion in our understanding of each,” they said.