Enlarge /. The propagandists have been creating and disseminating disinformation since at least March 2017, focusing on undermining NATO and US troops in Poland and the Baltic States.
Petras Malukas | Getty Images
In recent years, online disinformation has made an evolutionary leap forward, with the Internet Research Agency sparking outrage through social media and hackers passing documents – both real and fictional – to their narrative. More recently, Eastern Europe has taken on a large-scale campaign that takes counterfeit news to a new level: hack legitimate news sites to plant fake stories, and then quickly amplify them on social media before turning them off.
On Wednesday, security firm FireEye released a report on a disinformation-focused group they call ghostwriters. The propagandists have been creating and disseminating disinformation since at least March 2017, focusing on undermining NATO and US troops in Poland and the Baltic States. They have published fake content in everything from social media to pro-Russian news websites. In some cases, FireEye says, Ghostwriter used a bolder tactic: hacking news website content management systems to publish their own stories. They then spread their literal fake messages using fake emails, social media, and even comments that the propagandists write on other websites that accept user-generated content.
This hacking campaign, targeting media sites from Poland to Lithuania, has spread false stories about U.S. military attacks, NATO soldiers spreading the Corona virus, NATO planning a major invasion of Belarus, and more. "They spread these stories that NATO is at risk of being angry with the locals, being infected, being a car thief," said FireEye director of intelligence John Hultquist. "And they spread these stories by a variety of means, the most interesting of which is hacking and planting local media websites. These fictional stories are suddenly gullible from the websites they are on, and then they go inside and spread the link to the story. "
FireEye itself has not conducted an incident response analysis on these incidents and admits that it does not know exactly how the hackers steal credentials that give them access to the content management systems that can be used to publish and change messages. It also doesn't know who is behind the series of website compromises or what concerns the larger disinformation campaign to which the fake stories belong.
However, the company's analysts have found that the news website compromises and uses online accounts to share links to these fictional stories, as well as the more traditional creation of fake news on social media, blogs, and anti-US websites. and anti-US guidelines NATO leaned forward to all tie in with a specific group of people, indicating a unified effort to disinformation. FireEyes Hultquist points out that the campaign does not appear to be financially motivated, suggesting a political or state supporter, and notes that the focus on driving a wedge between NATO and Eastern European citizens is on Russia's possible involvement indicates.
This would not be the first time Russian hackers planted fake messages. In 2017, U.S. intelligence agencies concluded that Russian hackers violated Qatar's state news agency and posted fake news that is said to embarrass the country's leader and cause a conflict with the U.S., although U.S. intelligence agencies never involve the Kremlin confirmed.
"We cannot currently tie it to Russia in concrete terms, but it is certainly in their interests," says Hultquist of the ghostwriter campaign. "It wouldn't be a surprise to me if the evidence brought us here."
False news on the Baltic-language news sites Baltic Course and Baltic Times claim that a US armored vehicle ran over and killed a Lithuanian child (left), and the first COVID-19 patient in Lithuania was a US soldier who previously "visited." “Have public places and took part in city events with the participation of children and young people. "
Archive.is about Baltic Course and Baltic Times
Two false stories were planted on the Lithuanian news site Kas Vyksta Kaune, one about a planned NATO invasion of Belarus (left) and one about German soldiers profaning a Jewish cemetery, including a photo with photos showing a military vehicle with a German flag .
Archive.is about Kas Vyksta Kaune
Much of the disinformation has focused on Lithuania, DefenseOne reported late last year. For example, in June 2018, the English-language Baltic Course news site, Baltic Course, published a story claiming that an armored US Stryker vehicle collided with a Lithuanian child on a bike and killed the child "on the spot" . On the same day, the Baltic Course posted a notice on the website that "Hackers have posted this news about the deceased child, which is FAKE !!! We thank our vigilant Lithuanian readers who posted fake news on site on our Facebook page we have strengthened security measures. "
A few months later, the Lithuanian news site Kas Vyksta Kaune published a story saying that "NATO plans to invade Belarus" and shows a map of how NATO forces in Poland and the Baltic States would enter the neighboring country. Kas Vyksta Kaune later admitted that the story was fake and planted by hackers. Someone had used a former employee's credentials to gain access to the CMS. In September last year, another fake story about German NATO soldiers desecrating a Jewish cemetery was published on the website, including what FireEye describes as a photoshoppt image of a military vehicle with a German flag behind the cemetery.
More recently, the fake stories have tried to take advantage of fears of COVID-19. A story published to both Kas Vyksta Kaune and the English-language Baltic Times in January claimed that the first COVID-19 case in Lithuania was a U.S. soldier hospitalized in critical condition, however only after "visiting public places and participating in the city" events involving children and young people, "according to the Baltic Times version of the story.
Let's go to Poland
In April and May of this year, the focus was on Poland: a fake story was published on several Polish news sites in which a US official dismissed the local Polish armed forces as disorganized and incompetent. This time the campaign even went beyond news sites. A fake letter from a Polish military official was posted on the website of the Polish Military Academy, demanding that the Polish military stop military exercises with the United States, decipher the "occupation" of Poland by the United States, and exercise the exercises as an "obvious provocation" of Russia describe . The Polish government quickly released the letter as a fake.
FireEye's finding that all the news counterfeiting operations were carried out by a single group follows a report by the New York Times that the Russian military intelligence agency GRU coordinated the publication of disinformation on websites such as InfoRos, OneWorld.press and GlobalResearch. approx. US intelligence officials who spoke to the Times said the disinformation campaign, which included false reports that COVID-19 was from the United States, was specifically the work of the GRU's Psychological Warfare Unit, known as Unit 54777 .
Given the role of the GRU in meddling in the 2016 presidential election, including its hack-and-leak operations against the National Democratic Committee and the Clinton campaign, any role the GRU may play in recent disinformation raises concerns that it will also affect the election Could target 2020. While FireEye made no such claims that the compromises on the ghostwriter news site were the work of the GRU, Hultquist argues that the incidents in Poland and the Baltic States should still serve as a warning. Even if false stories are quickly discovered and removed, they could have a significant temporary impact on public opinion, he warns.
"I'm worried that we might see this type of compromised media tactic in the West and even during the elections. It's a perfect kind of last minute tactic," says Hultquist. "Once the ghost is out of the bottle, can you put it back in? Can you let enough people understand that this is a strange force that has fueled this story? It could be too late."
This story originally appeared on wired.com.