A Belarus-affiliated hacking group has attempted to compromise the Facebook accounts of Ukrainian military personnel, posting videos of hacked accounts calling on the Ukrainian military to surrender, according to a new security report from Meta (Facebook’s parent company) .
The hacking campaign, previously labeled as “Ghostwriter” by security researchers, was carried out by a group known as UNC1151 that has been linked to the Belarusian government under investigation conducted by Mandiant. A February security update from Meta flagged activity from the Ghostwriter operation, but since that update, the company said the group had attempted to compromise “dozens” of accounts, though it had only succeeded in a handful of cases.
Where successful, the hackers behind Ghostwriter could have posted videos that appeared to come from the compromised accounts, but Meta said it had blocked these videos from being shared further.
Spreading fake surrender messages has already been a tactic of hackers who have compromised television networks in Ukraine and planted false reports of a Ukrainian surrender in the chyrons of live broadcasts. While such statements can be quickly refuted, experts have suggested that they are intended to undermine Ukrainians’ trust in the media in general.
Details of the latest Ghostwriter hacks have been published in the first installment of Meta’s quarterly Adversarial Threat Report, a new offering from the company that builds on a similar December 2021 report that detailed threats faced throughout the year. While Meta has previously published regular reports of coordinated inauthentic behavior on the platform, the scope of the new threat report is broader and includes espionage operations and other emerging threats such as mass content reporting campaigns.
In addition to the hacks against military personnel, the latest report also details a series of other actions carried out by pro-Russian threat actors, including covert influence campaigns against various Ukrainian targets. In one case from the report, Meta alleges that a group with ties to the Belarusian KGB attempted to stage a protest event against the Polish government in Warsaw, though the event and the account it created were quickly taken offline.
While foreign influence operations like this one make up some of the report’s most dramatic details, Meta says it has also seen an increase in influence campaigns conducted domestically by repressive governments against their own citizens. In a conference call with reporters Wednesday, Nick Clegg, Facebook’s president for global affairs, said attacks on internet freedom had escalated.
“While much of the public attention in recent years has focused on foreign interference, domestic threats are increasing globally,” Clegg said. “As in 2021, more than half of the operations we disrupted in the first three months of this year targeted people in their own countries, including hacking into people’s accounts, running deceptive campaigns and falsely posting content to Facebook. report to silence critics.”
Authoritarian regimes generally tried to control access to information in two ways, Clegg said: first, by pushing propaganda through state media and influence campaigns, and second, by trying to stop the flow of credible alternative sources of information.
According to Meta’s report, the latter approach has also been used to limit information about the conflict in Ukraine, with the company removing a network of about 200 Russian-operated accounts engaged in coordinated reporting from other users for fictitious violations, including hate speech, bullying, and inauthenticity, in an effort to get them and their posts removed from Facebook.
Echoing an argument from Meta’s lobbying efforts, Clegg said the threats outlined in the report show “why we need to protect the open internet not only from authoritarian regimes, but also from fragmentation due to the lack of clear rules.” .”