Skip to content

Belarus government is involved in UNC1151 Ghostwriter attack: Research

  • by
  • 2 min read

US-based cybersecurity firm Mandiant has assessed with “high confidence” that UNC1151 is linked to the Belarusian government. In April 2021, the company reported that UNC1151 provides technical support for the Ghostwriter attacks campaign.

This new assessment, detailed in a public report published by Mandiant on Tuesday alongwith Ghostwriter narratives that align with the Belarusian government’s interests, has led the group to “assess with moderate confidence” that Belarus is at least partially responsible for the campaign. 

The report further states that while there’s no direct proof yet, Russia’s involvement in Ghostwriter or UNC1151 can’t be ruled out either. 

In the News: DDR4 RAMs vulnerable to new Rowhammer attack

Anti-NATO cyber campaign aligning with Belarus’ interests

According to Mandiant, “sensitively sourced evidence” have pointed to Minsk, Belarus, as a likely base of operations. Additionally, this evidence has also pointed out a link between UNC1151 and the Belarusian military. Mandiant has directly observed this evidence, and the connections have been confirmed with separate sources. 

Multiple government and private entities have been targeted by UNC1151, with a particular focus in Ukraine, Lithuania, Latvia, Poland, and Germany. Belarusian dissidents, journalists and media entities have also been targeted. The specific target scope aligns primarily with Belarusian interests. 

Apart from this, UNC1151 has been found to target multiple media entities and members of the opposition in 2019, a year before the Belarusian elections. The group has also targeted media outlets in Lithuania, Poland, Ukraine, and Latvia, but opposition leaders and political activists were spared. The Belarusian government later arrested several individuals targeted by UNC1151. 

Belarus government is involved in UNC1151 Ghostwriter attack: Research
UNC1151 targets between 2017 and 2020. | Source: Mandiant

The group has not targeted any Russian or Belarusian state entities despite being focused on Eastern Europe. Additionally, the group has spear phished multiple intergovernmental organisations dealing with former-Soviet states; however, the governments were left out of the attacks. 

A minority of attacks have been conducted against governments with no apparent connection to Belarus as well mainly happening between 2016 to 2019. Since the attacks don’t align with Belarus’ interests, the chances are that UNC1151 has other priorities.

In the News: $100k NFT meme war is raging on Twitter

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: