Belarus-linked hacking group targets Poland with new disinformation campaign

Poland's Ministry of National Defense issued a warning Wednesday about a recent disinformation campaign that has been traced back to the Belarusian hacking group known as Ghostwriter.

As part of the campaign, the hackers — who cybersecurity experts also refer to as UNC1151 — sent fake messages to Polish citizens about potential recruitment to the Lithuanian-Polish-Ukrainian brigade, a multinational military focused on conducting peacekeeping and humanitarian operations. The hackers made false claims that the brigade will take part in military operations in Ukraine.

The campaign is just the latest in a series of disinformation operations conducted by Russia and Belarus-aligned hackers. Polish state authorities claim their goal is to destabilize the situation in the country.

What's special about the recent campaign is the "unprecedentedly fast" attribution, according to Lukasz Olejnik, an independent cybersecurity researcher and consultant from Poland.

The propaganda campaign was detected on April 18, one day after the start of mandatory military qualification in Poland, which assesses the skills and abilities of certain Polish citizens who may potentially join the army.

Given the circumstances, the Polish authorities likely moved quickly to debunk the disinformation campaign, according to Olejnik.

The hackers spread fabricated messages through SMS, Telegram channels, and email using the newly registered mon-gov[.]com domain, Polish authorities said. It is not clear how many people received these messages. Poland’s cybersecurity services warned that the campaign is likely to continue in the future.

Ghostwriter has been actively operating in Poland since the beginning of the war in Ukraine, according to cybersecurity experts. The group's goal in Poland is to disrupt the contry’s relations with its allies, including Ukraine, the U.S., and NATO countries, according to Poland’s Ministry of National Defense. The group’s campaigns have also aimed to foment social unrest among Polish citizens.

In addition to disinformation campaigns, the group also carries out phishing operations that steal email login credentials, compromise websites, and distribute malware.

Poland is frequently targeted by Kremlin-backed hackers due to its support for Ukraine. The country hosts Ukrainian refugees, provides military and humanitarian aid, and is a significant logistics hub for Kyiv.

In February, Russian hackers sent emails to Polish citizens under the guise of state officials, asking for information on Ukrainian refugees living in Poland. In March, another disinformation campaign warned of possible terrorist attacks in Poland. In April, Kremlin-backed hacking group Nobelium launched a spying campaign targeting foreign ministries and diplomatic entities in European countries, including Poland.