Menu
Browse

Cyber Threat Actor: UNC1151

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Nation State
Russia
36 incidents
Profile

Ghostwriter, operating under aliases including UNC1151, SaintBear, UNC2589, TA471, UAC-0041, UAC-0056, Uawrongteam, UNC2903, Storm-0257, Ember Bear, Lorec53, and UNC4166, is a Russia-linked threat actor engaged in cyberespionage, disinformation, and disruptive operations. Public reporting attributes activities to Russian state interests, with incidents demonstrating coordination with military intelligence objectives. The group targets government entities, critical infrastructure, media organizations, and defense sectors, primarily in Ukraine, Poland, Germany, and other NATO-aligned nations, while also compromising Western private sector databases for intelligence or financial gain. Strategic objectives include data theft for espionage, credential harvesting for persistent access, and website defacement or data wiping to undermine institutional trust and operational continuity.

Notable campaigns include the 2022 breach of Ukrainian government networks via trojanized Windows 10 installers, deploying malware like Stowaway, Beacon, and Sparepart to disable security controls and exfiltrate data aligned with Russian military interests. In 2024, the actor defaced British local newspaper websites under a false "Russian hackers" persona, compromising availability without data theft. The group employs phishing with malicious Excel macros delivering IcedID or AgentTesla, exploits vulnerabilities like Zimbra's CVE-2018-6882 for email rule manipulation, and uses web shells such as HoaxPen or CredPump for backdoor access. Tooling includes the Elephant implant family (GrimPlant, GraphSteel) for credential theft and Cobalt Strike for lateral movement, alongside disruptive wipers like CaddyWiper. Infrastructure relies on tunneling utilities like Ngrok and GOST, while false-flag operations leverage compromised accounts, as seen in the 2022 InfraGard breach where FBI-vetted access facilitated member data exfiltration. Persistent targeting of Ukrainian agencies—including 2021 website backdooring and 2022 energy sector attacks—highlights sustained focus on destabilizing critical systems, with parallel activities against German parliament members and Polish state domains reinforcing alignment with Russian geopolitical objectives.

Incidents
Attributed incidents available to members
35 incidents
Sources
Sources available to members
9 sources