Threat Intelligence Tarot
cups · 11
Belarus (KGB-linked)
G0061★★★★★
risk 3/5
✦ The Ghostwriter ✦
UNC1151
GhostWriter · Ghostwriter operators
LithuaniaLatviaPolandUkraineNATO credibility operations
Active since ~2017 · NATO influence operations, Baltic state disinformation, Pro-Russia/Belarus narratives
The Ghostwriter does not write news. It writes the news it needs. It compromises news websites, publishes fake statements from real politicians, and lets the fabricated story circulate before correction is possible. By the time the retraction appears, the narrative has already traveled.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
Notable Operations
- ◆Fake NATO withdrawal from Baltics narrative campaign
- ◆Compromised news sites used to publish fabricated official statements
- ◆Lithuanian and Polish government credential harvesting
- ◆Operation attributed jointly by US, UK, and EU intelligence agencies
Defenses
- ▸Two-factor authentication on news site and government CMS systemsCIS Control 6 ↗
- ▸Media literacy programs in targeted Baltic and Polish populationsEU DisinfoLab guidance
- ▸Political official account verification and monitoringNIST CSF: PR.AC ↗
- ▸Coordinated threat intelligence sharing with allied governmentsNIST CSF: ID.RA ↗
Reversed: Their Weakness
GhostWriter's influence operations are undermined by speed - digital forensics and platform labeling can now flag manipulated content rapidly, and the coordinated attribution by multiple Western intelligence agencies publicly disrupted the operation's plausible deniability.
Share this adversary profile
swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.