The European Union has officially linked Russia to a hacking operation known as Ghostwriter that addresses those high-profile EU officials, journalists, and the general public. “These malicious cyber activities are addressing various members of Parliaments, government officials, politicians, and the peoples of press and the civil society in the EU by accessing computer systems and personal accounts and hijacking information,” European Council officials said in a press release recently.

“Such activities are offensive as they seek to threaten our virtue and security, democratic values and principles and the core functioning of our democracies.” The EU officials also added that such hacking activities are in stark contrast to normal state behavior endorsed by all UN member states.

The attack is also seen as clear trials to blunt EU’s democratic institutions and processes, consisting of but not limited to allowing disinformation and information manipulation.

Related to Russia’s GRU Military Intelligence Service

The Ghostwriter’s “malicious cyber activities” were also connected by Germany to the GRU military intelligence service earlier in recent days; with German Foreign Ministry spokesperson Andrea Sasse stating that the German parliament was addressed at least three times this year.

Sasse’s statement came after German security authorities analyzed multiple attempts to hijack the personal login credentials of German lawmakers before the September 26 federal election, likely as part of a preparation effort for disinformation campaigns.

“The German government has reliable information on the basis of which Ghostwriter activities can be attributed to cyber actors of the Russian state and, specifically, Russia’s GRU military intelligence service,” Sasse said.

In March, Germany also said that the Ghostwriter Russian military intelligence hacking group is the main suspect behind a spearphishing attack that targeted multiple Parliament members.       

They are believed to have breached the email accounts of seven members of the German federal parliament (Bundestag) and 31 members of German regional parliaments.

“The European Union and its Member States strongly denounce these malicious cyber activities, which all involved must put to an end immediately. We urge the Russian Federation to adhere to the norms of responsible state behavior in cyberspace,” the European Council added today.

Who is Ghostwriter?

Ghostwriter has been coordinating “information operations,” pushing various narratives aligned with Russian security interests beginning with March 2017, according to a 2020 report from cybersecurity firm FireEye. These attacks continued through 2021, with FireEye identifying over twenty additional incidents believed to be part of Ghostwriter activity.

“The Ghostwriter campaign leverages traditional cyber threat activity and information operations tactics to promote narratives intended to chip away at NATO’s cohesion and undermine local support for the organization in Lithuania, Latvia, and Poland,” FireEye said.

This hacking group used fabricated personas posing as analysts and journalists to target Lithuanian, Latvian, and Polish audiences with anti-North Atlantic Treaty Organization (NATO) narratives disseminated via spoofed email accounts and compromised websites.

APT28 Members Approved for the Same Attack

The Council of the European Union also sanctioned multiple members of the Russian state-backed APT28 hacking group in October 2020 for compromising several Bundestag members’ email accounts in 2015.

The same month, the US Cyber Command also shared info on malware implants used by Russian state hackers in attacks targeting national parliaments, ministries of foreign affairs, and embassies. In August 2020, Norway disclosed a strikingly similar attack that led to the breach of email accounts belonging to Norwegian Parliament representatives and employees.

Norway’s Minister of Foreign Affairs Ine Eriksen Soreide reported that the August attack was coordinated by Russian state hackers who stole data from each of the hacked accounts and the Norwegian Police Security Service said APT28 was likely behind the operation.

In February 2021, the National Security and Defense Council of Ukraine (NSDC) also associated Russian-backed state hackers with an attack against the Ukrainian government attempting to breach state agencies after negotiating the government’s document management system.