EU warns Russia over ‘Ghostwriter’ hacking ahead of German elections

The European Union has warned it may take action over Russia’s involvement in “malicious cyber activities” against several EU member states.

The “Ghostwriter” campaign targeted “numerous members of Parliaments, government officials, politicians, and members of the press and civil society in the EU”, according to a press release from the European Council on Friday, and was carried out “by accessing computer systems and personal accounts and stealing data.”

The statement by the European executive, comprised of the bloc’s heads of state, said the EU was considering “taking further steps,” but did not elaborate what actions it would take.

“Today’s declaration is about strongly denouncing malicious cyber activities, designated as Ghostwriter that some member states have observed and associated with the Russian state,” Nabila Massrali, a spokesperson for the European Council, told TechCrunch. “These activities are unacceptable and all involved must put them to an end immediately. Such activities seek to threaten our integrity and security, democratic values and principles and attempt to undermine our democratic institutions and processes. We urge the Russian Federation to adhere to the norms of responsible state behavior in cyberspace.”

No specific incidents were mentioned in the press release. But the spokesperson added that the warning comes in light of the upcoming German elections on September 26.

Earlier this month, Germany said the Russia-linked Ghostwriter campaign had been “combining conventional cyberattacks with disinformation and influence operations” in an attempt to spread disinformation before the upcoming election. At the time, the German government said it had “reliable information” that recent cyberattacks — which involved hackers use phishing emails in an attempt to get hold of personal login details of federal and state lawmakers — could be attributed to actors in Russia, “specifically to the Russian military intelligence service GRU.”

Ghostwriter has been ongoing since 2017, according to a 2020 report by FireEye, and has been involved in anti-NATO disinformation campaigns, cyber espionage and politically damaging hack-and-leak operations throughout Europe. In a follow-up report released in April this year, FireEye linked the Ghostwriter campaign to UNC1151, a threat actor that is believed to be backed by the Kremlin. 

Since, Prevailion, a cybersecurity startup that specializes in compromise breach monitoring and cyber adversary intelligence, found that the infrastructure associated with UNC1151 is three-times larger than was was previously documented, and its malicious cyber activities are broader and more aggressive than was originally suspected. 

Karim Hijazi, chief executive of Prevailion, said earlier this month that UNC1151 is “positioned for a much wider operation, both in Europe and potentially beyond.”