Menu
Browse

Cyber Threat Actor: GhostWriter

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Nation State
Belarus
4 incidents
Profile

GhostWriter, also referenced as GhostWriter APT, is a threat actor identified by security researchers under these two aliases. Open‑source assessments associate the group with Belarus, listing its known location as Belarus when geographic attribution is discussed. The actor first came to public attention through a series of website defacement incidents targeting Ukrainian government online properties in early 2022. Researchers who analyzed those incidents noted linguistic and tactical similarities that led them to link the activity to a Belarus‑aligned threat group. Beyond the alias and location information, the disclosed sources do not provide further specifics about the actor’s internal hierarchy, size, funding sources, or any criminal‑or‑state affiliations beyond the Belarus connection.

GhostWriter’s observed targeting concentrates on governmental institutions in Ukraine, including the Ministry of Foreign Affairs, the Cabinet of Ministers portal, and the Ministry of Agriculture website. The defacement campaigns have also been reported to affect Polish military databases, indicating that the actor’s operational scope extends to neighboring NATO‑aligned entities. In each case the attackers replaced legitimate site content with multilingual messages written in Ukrainian, Russian, and Polish that falsely asserted large‑scale citizen data theft. The purpose of these messages appears to be disruptive, aiming to sow confusion and undermine public trust in the affected institutions rather than to extract financial profit. No evidence within the provided material describes the actor pursuing traditional espionage objectives, such as data exfiltration for intelligence gain, or engaging in financially motivated cybercrime.

The technical method consistently reported for GhostWriter’s initial access is the exploitation of a critical vulnerability in outdated content management systems, specifically CVE‑2021‑32648. After leveraging this flaw to obtain administrative privileges, the actor uses the compromised CMS to upload defacement pages that display the fabricated breach notifications. The defacement texts are notable for containing grammatical errors across the three languages, a characteristic that analysts have highlighted as a possible sign of foreign operators. Attribution in the cited reports repeatedly ties the activity to GhostWriter and characterizes the actor as Belarus‑aligned, although the sources stop short of declaring explicit state sponsorship. The source material does not mention any particular malware families, custom implants, or persistence tools associated with GhostWriter beyond the reliance on the disclosed web‑application vulnerability. The January 2022 defacement wave, which struck multiple Ukrainian government sites and was linked to possible effects on Polish military systems, serves as a concrete example of the actor’s campaign pattern.

Incidents
Attributed incidents available to members
4 incidents
Sources
Sources available to members
0 sources