Hackers publish fake story about Ukrainians attempting to assassinate Slovak president

An unidentified attacker hacked a Czech news service's website and published a fake story on Tuesday claiming that an assassination attempt had been made against the newly elected Slovak president, Peter Pellegrini.

According to the government-owned public service Czech News Agency (CTK), the attacker posted the false article directly to its website, meaning the story was not distributed to the service’s clients.

The article has since been retracted, with CTK declaring it to be a fake and announcing that it had informed the country’s intelligence agencies and cybersecurity authority about the breach.

The headline of the fake story claimed that Slovakia’s domestic intelligence agency, the Security Information Service (BIS), “prevented an assassination attempt on the newly elected Slovak President Petr Pelligrini.”

Readers noted that the story misspelled Peter Pellegrini’s name.

Pellegrini was elected earlier this month, providing what Reuters reported was a boost to Slovakia’s pro-Russian prime minister Robert Fico. Despite Slovakia’s NATO membership, Pellegrini has said he would oppose sending the country’s armed forces to assist a member state if it were attacked by Russia.

The false story published on Tuesday in both Czech and English said that the fictitious attempted assassination of Pellegrini was planned by Ukrainian nationals. It named Vitaliy Usatyy, Kyiv’s charge d’affaires in Prague, as one of the perpetrators.

CTK described the incident as an act of disinformation. No evidence has yet been published tying the hack to a particular actor, and the news agency said it would not be releasing further information.

CTK is published in both Czechia and Slovakia and has been in operation since 1918, when Czechoslovakia declared its independence from Austria-Hungary. It has been an editorially independent public news service since the Velvet Revolution in 1989, following the collapse of the Communist Party.

Similar publications of false stories on hacked legitimate news sites have previously been described as information operations by Mandiant, and attributed to a notorious group of hackers affiliated with the Belarusian government.

The group, tracked as Ghostwriter, as well as UNC1151 and Storm-0257, is known to target journalists with spearphishing emails in order to gain access to their organization’s content management systems.

GhostWriter has previously targeted Ukrainian military personnel and Poland's government services before. The group mostly carries out phishing operations that steal email login credentials, compromise websites and distribute malware.

In one attempt to inflame tensions in Poland, the hackers published a news story “that a priest had been murdered by a migrant who they claimed was an Iraqi national and who had been in Lithuania and snuck into Poland,” according to Benjamin Read, Mandiant’s director of cyber espionage analysis. But “the priest was still alive - people called him and he was still alive - so it wasn't necessarily very effective.”

Correction: A previous version of this article incorrectly stated one of the other names of the threat group Ghostwriter. It is Storm-0257, not Storm-0157.