Belarus-linked hackers target Gmail accounts of Polish public figures and their families

Poland has warned that a Belarus-linked hacker group has expanded its phishing operations to target personal Gmail accounts belonging to senior public figures and their relatives.

The group, known as GhostWriter, has previously focused on compromising work accounts and email services hosted by Polish email providers. Since March, however, its campaigns have increasingly targeted Gmail users, according to CERT Polska, the country's national computer emergency response team.

The campaign has primarily targeted people involved in political and public life, including government officials, researchers, journalists, public administration employees and law enforcement personnel, as well as family members and social contacts.

CERT Polska said GhostWriter remains one of the most active state-sponsored threat actors monitored by the agency.

"In recent weeks, our team has observed the use of new domains serving phishing pages almost daily," researchers said in a report on Friday.

GhostWriter's phishing campaigns are designed to steal login credentials and two-factor authentication codes, allowing attackers to gain access to victims' email accounts. Once inside, the hackers typically search for contact lists, sensitive documents, and linked online accounts that can be exploited to identify additional targets or take over social media profiles.

Researchers said the attackers do not always know the exact email address of their intended target and sometimes rely on guessing likely Gmail addresses, resulting in phishing messages being sent to unrelated people with similar names. The agency has also observed campaigns targeting specific regions and professional groups, including translators and court experts.

GhostWriter, also tracked as UNC1151 and Storm-0257, has been linked by cybersecurity researchers to Belarusian state intelligence services and has been active against Polish targets since Russia's full-scale invasion of Ukraine.

Beyond credential theft, the group has conducted influence and disinformation operations aimed at undermining Poland's relationships with Ukraine, the United States and NATO while fueling domestic social tensions.

The hackers have also targeted Ukrainian government agencies and military organizations. Earlier this year, researchers said GhostWriter used fake emails disguised as notifications from a popular online learning platform to distribute malware to Ukrainian government officials.

In a separate campaign uncovered by cybersecurity firm SentinelOne last year, the group was seen targeting Belarusian opposition activists.