Introduction
Ghostwriter, also tracked as TA445, DEV-0257, Storm-0257, UNC1151, UAC-0057, and PUSHCHA, is a Belarus-aligned advanced persistent threat (APT) actor with strong ties to Russia. Ghostwriter has been active since at least 2016 and has developed a hybrid approach using both disinformation campaigns and cyber espionage and credential theft (e.g. login credentials) techniques. The cyber espionage and credential theft techniques used by Ghostwriter are primarily directed against NATO member states, Eastern Europe, as well as the EU, and operate for Belarus and somewhat aligned to Russian state objectives. This is particularly clear in the ongoing context of the war in Ukraine.
Identity and Motivation
Ghostwriter is almost solely attributed to the Belarusian military intelligence agency (GSSD), but still has aspirations to assist greater Russia’s goals. The group seeks political objectives, and military influence objectives by engaging in an information operations strategy and combining it with direct cyber intrusions. Ghostwriter’s primary threat vector is to target policy makers, journalists, and military institutions, all with the goal of discrediting NATO, disrupting elections, and weakening Western support for Ukraine. Other aliases for Ghostwriter include TA445, DEV-0257, Storm-0257, UNC1151, UAC-0057, and PUSHCHA.
TTPs
Ghostwriter campaigns are unique in that they successfully combine both propaganda and technical intrusions.
- Initial Access: Phishing emails with either malicious attachments or links to credential harvesting sites, as well as by exploiting vulnerabilities in website content management systems.
- Persistence: By maintaining access through stolen credentials, long-term utilization of compromised email accounts, and the creation of false identities online.
- Command and Control (C2): By utilizing compromised infrastructure and hijacked websites to funnel traffic and maintain communications.
- Malware and Tools: By utilizing credential harvesters, infostealers, backdoors and publicly available tools, just repurposed for espionage.
- Techniques: By using a blend of traditional espionage techniques (credential theft, lateral movement, exfiltration) with disinformation campaign elements, fake news sites, and actions that manipulated social media activity.
Notable Operations
2016–2019: Conducted disinformation campaigns aimed at NATO forces in Poland and the Baltic states in fake news articles aimed at undermining trust.
2020: Heavily engaged in phishing and disinformation attacks at Polish officials, while also attacking NATO personnel and using this year as a shift to fusing together both technical intrusions alongside propaganda.
2021: Expanded into operations against journalists, NGOs, and government officials across Eastern Europe and fusing credential theft with influence operations.
2022: Increased activity during the Russian invasion into Ukraine while specifically pushing a pro-Russian narrative, while simultaneously conducting phishing on Ukrainian and NATO aligned entities.
2023: The group conducted hybrid campaigns against European political organizations and electoral infrastructure in an effort to disrupt democratic processes and promote anti-NATO sentiment.
2024–2025: The group continued this combined campaign against NATO officials, EU political organizations, and regional media organizations, and their latest operations have focused on fracturing Western unity in support of Ukraine with further coordinated cyber intrusions and political influence operations.
Recent Developments
Ghostwriter remains active as of 2025. Reports of ongoing phishing campaigns against NATO and EU institutions continue and exist alongside various forms of propaganda aimed at degrading the public’s trust in the West’s governing bodies. Many APTs pursue either espionage or disinformation on their own, while Ghostwriter’s ability to blend these things to create more psychological and operational effect from cyber attacks is unique. Ghostwriter’s activities are also likely more potent than other APTs as its marriage to Russian interests has only intensified since the escalation of the war in Ukraine, thus they essentially serve as a hybrid warfare tool in the information context. With their operations spanning cyber technical difficulties and getting started, extended communication between network intrusions and propaganda narratives, they have experienced value in both amplifying their narratives while developing and compromising assets on the other side of the pro-Western action they were considering.
Conclusion
Ghostwriter is a serious threat, not just because it has the ability to spy but also because it has the ability to carry out an information warfare campaign. The multifaceted capability of Ghostwriter makes it a high-risk adversary to NATO, EU institutions, and the Eastern European governments mentioned previously.
Defensive Takeaways
- Improve phishing resiliency and employee training.
- Monitor for compromised logins and credentials.
- Monitor social media and news for suspicious use and disinformation campaigns.
- Harden election/all media infrastructure from cyber intrusions and information campaigns.
If hybrid warfare continues to define the threat environment in Eastern Europe, Ghostwriter will be a predictable and adaptable adversary. The continued melding of influence operations with cyberspace espionage is an indicator of the evolving nature of state-sponsored threats in 2025 and beyond.
You can download and review the sheet for all the details!
