SYMBOLCOMMON_NAMEaka. SYNONYMS

Ghostwriter  (Back to overview)

aka: UNC1151, TA445

Ghostwriter is referred as an 'activity set', with various incidents tied together by overlapping behavioral characteristics and personas, rather than as an actor or group in itself.


Associated Families
win.microbackdoor

References
2022-07-20MandiantMandiant Threat Intelligence
@online{intelligence:20220720:evacuation:edd478e, author = {Mandiant Threat Intelligence}, title = {{Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities}}, date = {2022-07-20}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/spear-phish-ukrainian-entities}, language = {English}, urldate = {2022-07-25} } Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities
Cobalt Strike GraphSteel GrimPlant MicroBackdoor
2022-07-20U.S. Cyber CommandCyber National Mission Force Public Affairs
@online{affairs:20220720:cyber:b7604e7, author = {Cyber National Mission Force Public Affairs}, title = {{Cyber National Mission Force discloses IOCs from Ukrainian networks}}, date = {2022-07-20}, organization = {U.S. Cyber Command}, url = {https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/}, language = {English}, urldate = {2022-07-25} } Cyber National Mission Force discloses IOCs from Ukrainian networks
Cobalt Strike GraphSteel GrimPlant MicroBackdoor
2022-07-19GoogleBilly Leonard
@online{leonard:20220719:continued:2a97da1, author = {Billy Leonard}, title = {{Continued cyber activity in Eastern Europe observed by TAG}}, date = {2022-07-19}, organization = {Google}, url = {https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag}, language = {English}, urldate = {2022-08-05} } Continued cyber activity in Eastern Europe observed by TAG
CyberAzov APT28 Callisto Ghostwriter Sandworm Turla
2022-04-29AttackIQFrancis Guibernau, Jackson Wells
@online{guibernau:20220429:attack:52c55b9, author = {Francis Guibernau and Jackson Wells}, title = {{Attack Graph Response to UNC1151 Continued Targeting of Ukraine}}, date = {2022-04-29}, organization = {AttackIQ}, url = {https://attackiq.com/2022/04/29/attack-graph-response-to-unc1151-continued-targeting-of-ukraine/}, language = {English}, urldate = {2022-05-04} } Attack Graph Response to UNC1151 Continued Targeting of Ukraine
MicroBackdoor
2022-04-07InQuestWill MacArthur, Nick Chalard
@online{macarthur:20220407:ukraine:99bef5a, author = {Will MacArthur and Nick Chalard}, title = {{Ukraine CyberWar Overview}}, date = {2022-04-07}, organization = {InQuest}, url = {https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview}, language = {English}, urldate = {2022-04-29} } Ukraine CyberWar Overview
CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate
2022-03-25GOV.UAState Service of Special Communication and Information Protection of Ukraine (CIP)
@online{cip:20220325:who:e75f0ac, author = {State Service of Special Communication and Information Protection of Ukraine (CIP)}, title = {{Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22}}, date = {2022-03-25}, organization = {GOV.UA}, url = {https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya}, language = {English}, urldate = {2022-08-05} } Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora RAT
2022-03-14QianxinRed Raindrop Team
@online{team:20220314:analysis:9a058f9, author = {Red Raindrop Team}, title = {{Analysis Of Attack Activities Of Suspected APT Organization UNC1151 Against Ukraine And Other Countries}}, date = {2022-03-14}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/Analysis-of-attack-activities-of-suspected-aptorganization-unc1151-against-ukraine-and-other-countries/}, language = {Chinese}, urldate = {2022-03-15} } Analysis Of Attack Activities Of Suspected APT Organization UNC1151 Against Ukraine And Other Countries
MicroBackdoor
2022-03-08Cluster25Cluster25
@online{cluster25:20220308:ghostwriter:3f0d3c1, author = {Cluster25}, title = {{GhostWriter / UNC1151 adopts MicroBackdoor Variants in Cyber Operations against Ukraine}}, date = {2022-03-08}, organization = {Cluster25}, url = {https://cluster25.io/2022/03/08/ghostwriter-unc1151-adopts-microbackdoor-variants-in-cyber-operations-against-targets-in-ukraine/}, language = {English}, urldate = {2022-03-10} } GhostWriter / UNC1151 adopts MicroBackdoor Variants in Cyber Operations against Ukraine
MicroBackdoor
2022-03-07Cert-UACert-UA
@online{certua:20220307:uac0051:18afbc7, author = {Cert-UA}, title = {{UAC-0051 (UNC1151) Cyberattack on Ukrainian State Organizations Using MicroBackdoor Malware (CERT-UA#4109)}}, date = {2022-03-07}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/37626}, language = {Ukrainian}, urldate = {2022-03-08} } UAC-0051 (UNC1151) Cyberattack on Ukrainian State Organizations Using MicroBackdoor Malware (CERT-UA#4109)
MicroBackdoor
2022-02-28Bleeping ComputerSergiu Gatlan
@online{gatlan:20220228:meta:7d5b51a, author = {Sergiu Gatlan}, title = {{Meta: Ukrainian officials, military targeted by Ghostwriter hackers}}, date = {2022-02-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/meta-ukrainian-officials-military-targeted-by-ghostwriter-hackers/}, language = {English}, urldate = {2022-03-07} } Meta: Ukrainian officials, military targeted by Ghostwriter hackers
Ghostwriter
2022-02-28Bleeping ComputerSergiu Gatlan
@online{gatlan:20220228:meta:70850f0, author = {Sergiu Gatlan}, title = {{Meta: Ukrainian officials, military targeted by Ghostwriter hackers}}, date = {2022-02-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/meta-ukrainian-officials-military-targeted-by-ghostwriter-hackers}, language = {English}, urldate = {2022-07-25} } Meta: Ukrainian officials, military targeted by Ghostwriter hackers
Ghostwriter
2021-11-16MandiantGabriella Roncone, Alden Wahlstrom, Alice Revelli, David Mainor, Sam Riddell, Ben Read, Mandiant Research Team
@online{roncone:20211116:unc1151:a2da6dc, author = {Gabriella Roncone and Alden Wahlstrom and Alice Revelli and David Mainor and Sam Riddell and Ben Read and Mandiant Research Team}, title = {{UNC1151 Assessed with High Confidence to have Links to Belarus, Ghostwriter Campaign Aligned with Belarusian Government Interests}}, date = {2021-11-16}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/unc1151-linked-to-belarus-government}, language = {English}, urldate = {2021-11-17} } UNC1151 Assessed with High Confidence to have Links to Belarus, Ghostwriter Campaign Aligned with Belarusian Government Interests
Ghostwriter
2021-05-04Cr4sh
@online{cr4sh:20210504:cr4sh:3c1597c, author = {Cr4sh}, title = {{Cr4sh / MicroBackdoor : Small and convenient C2 tool for Windows targets}}, date = {2021-05-04}, url = {https://github.com/cr4sh/microbackdoor}, language = {English}, urldate = {2021-05-04} } Cr4sh / MicroBackdoor : Small and convenient C2 tool for Windows targets
MicroBackdoor
2021-03-31Twitter (@hatr)Hakan Tanriverdi
@online{tanriverdi:20210331:ghostwriter:28526c7, author = {Hakan Tanriverdi}, title = {{Tweet on Ghostwriter}}, date = {2021-03-31}, organization = {Twitter (@hatr)}, url = {https://twitter.com/hatr/status/1377220336597483520}, language = {English}, urldate = {2021-04-06} } Tweet on Ghostwriter
Ghostwriter
2020-07-29FireEyeLee Foster, Sam Riddell, David Mainor, Gabby Roncone
@online{foster:20200729:ghostwriter:0d042f4, author = {Lee Foster and Sam Riddell and David Mainor and Gabby Roncone}, title = {{'Ghostwriter' Influence Campaign: Unknown Actors Leverage Website Compromises and Fabricated Content to Push Narratives Aligned With Russian Security Interests}}, date = {2020-07-29}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/07/ghostwriter-influence-campaign.html}, language = {English}, urldate = {2021-04-06} } 'Ghostwriter' Influence Campaign: Unknown Actors Leverage Website Compromises and Fabricated Content to Push Narratives Aligned With Russian Security Interests
Ghostwriter

Credits: MISP Project