{
	"id": "6d20a29c-a61c-48fc-b3c0-210652fda9aa",
	"created_at": "2026-04-06T00:16:19.335225Z",
	"updated_at": "2026-04-10T13:11:18.517738Z",
	"deleted_at": null,
	"sha1_hash": "8118ddac5fb59aabbf4e1c94be6c2c45b37b4fda",
	"title": "Meta: Ukrainian officials, military targeted by Ghostwriter hackers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1442652,
	"plain_text": "Meta: Ukrainian officials, military targeted by Ghostwriter hackers\r\nBy Sergiu Gatlan\r\nPublished: 2022-02-28 · Archived: 2026-04-05 17:51:39 UTC\r\nFacebook (now known as Meta) says it took down accounts used by a Belarusian-linked hacking group (UNC1151 or\r\nGhostwriter) to target Ukrainian officials and military personnel on its platform.\r\nIn November 2021, Mandiant security researchers linked the UNC1151 threat group with high confidence to the Belarusian\r\ngovernment, as well as a hacking operation the company tracks as Ghostwriter.\r\nFacebook also blocked multiple phishing domains used by the threat actors to try and compromise the accounts of Ukrainian\r\nusers.\r\nhttps://www.bleepingcomputer.com/news/security/meta-ukrainian-officials-military-targeted-by-ghostwriter-hackers\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/meta-ukrainian-officials-military-targeted-by-ghostwriter-hackers\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"We detected attempts to target people on Facebook to post YouTube videos portraying Ukrainian troops as weak and\r\nsurrendering to Russia, including one video claiming to show Ukrainian soldiers coming out of a forest while flying a white\r\nflag of surrender,\" Meta's Head of Security Policy Nathaniel Gleicher and Threat Disruption Director David Agranovich\r\nsaid.\r\n\"We also blocked phishing domains these hackers used to try to trick people in Ukraine into compromising their online\r\naccounts.\"\r\nAccounts believed to be targeted in this campaign have been secured by Facebook's security team, and the users have been\r\nalerted of the hacking attempts.  \r\nFacebook also took down a small network of a few dozen Facebook and Instagram Pages and Groups operating from Russia\r\nand Ukraine and targeting Ukrainians via fake accounts across multiple social media platforms, including Facebook,\r\nInstagram, Twitter, YouTube, Telegram, Odnoklassniki, and VK.\r\nThis operation was also behind a small number of sites that were masquerading as independent news portals and publishing\r\nclaims about Ukraine being betrayed by the West and \"being a failed state.\"\r\nHybrid warfare\r\nMeta's report confirms a warning issued by the Computer Emergency Response Team of Ukraine (CERT-UA) on Friday\r\nregarding spear-phishing attacks targeting the private email accounts of the Ukrainian military.\r\nEmail accounts compromised in these attacks were then used to target the victims' contacts with similar phishing messages\r\nthreatening to permanently disable their accounts unless they verified their contact information.\r\nThe Ukrainian State Service of Special Communications and Information Protection (SSSCIP) also warned of a separate and\r\nongoing series of phishing attacks targeting Ukrainians with malicious documents.\r\nSlovak internet security firm ESET issued its own alert the same day regarding cybercriminals impersonating humanitarian\r\norganizations to scam donors of organizations focused on helping Ukraine during the war started Thursday by Russia's\r\ninvasion.\r\nThese attacks follow data-wiping attacks against Ukrainian networks with HermeticWiper malware and ransomware\r\ndecoys aiming to destroy data and render devices unbootable. In January, Ukraine was also hit by data wipers when the\r\nWhisperGate wiper was deployed in attacks disguised as ransomware.\r\nBefore Russia's invasion, the Ukrainian Security Service (SSU) said the country is being targeted by a \"massive wave of\r\nhybrid warfare.\"\r\nOver the weekend, Ukraine's Vice Prime Minister Mykhailo Fedorov announced the creation of an \"IT army\" to help\r\nUkraine \"fight on the cyber front.\"\r\nhttps://www.bleepingcomputer.com/news/security/meta-ukrainian-officials-military-targeted-by-ghostwriter-hackers\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/meta-ukrainian-officials-military-targeted-by-ghostwriter-hackers\r\nhttps://www.bleepingcomputer.com/news/security/meta-ukrainian-officials-military-targeted-by-ghostwriter-hackers\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/meta-ukrainian-officials-military-targeted-by-ghostwriter-hackers"
	],
	"report_names": [
		"meta-ukrainian-officials-military-targeted-by-ghostwriter-hackers"
	],
	"threat_actors": [
		{
			"id": "f29188d8-2750-4099-9199-09a516c58314",
			"created_at": "2025-08-07T02:03:25.068489Z",
			"updated_at": "2026-04-10T02:00:03.827361Z",
			"deleted_at": null,
			"main_name": "MOONSCAPE",
			"aliases": [
				"TA445 ",
				"UAC-0051 ",
				"UNC1151 "
			],
			"source_name": "Secureworks:MOONSCAPE",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "119c8bea-816e-4799-942b-ff375026671e",
			"created_at": "2022-10-25T16:07:23.957309Z",
			"updated_at": "2026-04-10T02:00:04.807212Z",
			"deleted_at": null,
			"main_name": "Operation Ghostwriter",
			"aliases": [
				"DEV-0257",
				"Operation Asylum Ambuscade",
				"PUSHCHA",
				"Storm-0257",
				"TA445",
				"UAC-0051",
				"UAC-0057",
				"UNC1151",
				"White Lynx"
			],
			"source_name": "ETDA:Operation Ghostwriter",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"HALFSHELL",
				"Impacket",
				"RADIOSTAR",
				"VIDEOKILLER",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73",
			"created_at": "2023-01-06T13:46:39.195689Z",
			"updated_at": "2026-04-10T02:00:03.243054Z",
			"deleted_at": null,
			"main_name": "Ghostwriter",
			"aliases": [
				"UAC-0057",
				"UNC1151",
				"TA445",
				"PUSHCHA",
				"Storm-0257",
				"DEV-0257"
			],
			"source_name": "MISPGALAXY:Ghostwriter",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434579,
	"ts_updated_at": 1775826678,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8118ddac5fb59aabbf4e1c94be6c2c45b37b4fda.pdf",
		"text": "https://archive.orkl.eu/8118ddac5fb59aabbf4e1c94be6c2c45b37b4fda.txt",
		"img": "https://archive.orkl.eu/8118ddac5fb59aabbf4e1c94be6c2c45b37b4fda.jpg"
	}
}