On the night of January 13 and the morning of January 14, Ukrainian government sites were hit by a massive cyber-attack that saw half a dozen key government sites crash. Among the sites affected were the Ministry of Foreign Affairs, Ministry of Veterans Affairs, State Emergency Service, Cabinet of Ministers, Ministry of Energy and the Ministry of Education and Science, as well as Diia, Ukraine’s e-governance website and app which allows Ukrainians to access their digital documents such as passports and driving licences.
The attack immediately prompted harsh warnings from the international community and the general assumption that Russian hackers were behind the attack. However, on further investigation it appears the attack originated in Belarus and the hackers had access to the administration codes from a private company that built most of the sites. Serhiy Demedyuk, Ukraine’s deputy secretary of the national security and defence council, told Reuters that Ukraine blamed a group known as UNC1151 and that it was cover for more destructive actions behind the scenes.
So who are the UNC1151?
In 2017, the company Mandiant Threat Intelligence started to track the activity of a hacker group designated as UNC1151. In 2021, Mandiant released a report which tied UNC1151 to the Belarusian government and to the Ghostwriter information operation of 2020.
Mandiant claims that UNC1151 has been conducting credential theft domains since at least 2016, where they spoof legitimate websites to steal victim credentials. This has been done on Facebook, Google, Twitter but also on Ukrainian, Lithuanian, Latvian, Polish and German websites. the group has also performed Malware based intrusions in Eastern European countries, which multiple intrusions targeting Ukraine, and some targeting Lithuania and Poland. A year prior to the disputed Belarusian elections of 2020, UNC1151 targeted media entities in Ukraine, Lithuania, Latvia and Poland; moreover, several Belarusian individuals targeted by UNC1151 before the Belarus 2020 election were later arrested by Belarusian authorities. The geographical scope of the group’s focus aligns with Belarusian and Russian geopolitical security interests, and during 2020 they aligned even closer with the interests of the Belarusian regime.
According to Mandiant, “Sensitively sourced technical evidence indicates that the operators behind UNC1151 are likely located in Minsk, Belarus. This assessment is based on multiple sources that have linked this activity to individuals located in Belarus. In addition, separate technical evidence supports a link between the operators behind UNC1151 and the Belarusian military.”
The group can therefore be linked to the Belarusian regime both in terms of its geographical focus but also through technical evidence. Mandiant also notes that given the close ties between the Russian and Belarusian governments, there’s a possibility for collaboration. However, Mandiant has not uncovered direct evidence of the Russian government's involvement in UNC1151 operations. Although the majority of UNC1151 operations have targeted countries neighbouring Belarus, governments with no obvious connection to Belarus have also been targeted. Mandiant notes that there are "multiple possible explanations for this targeting, including incidental inclusion on diplomatic mailing lists, or non-public bilateral issues. However, the targeting that does not align directly to Belarusian interests could indicate that UNC1151 also supports additional priorities."
Mandiant says that it was unable to find any connections to previously tracked groups such as the Russian hacker groups APT28, Sandworm or TMP.Armageddon, who have conducted multiple credential theft operations and performed malware attacks in the past. UNC1151 has, however, been connected to the large “Ghostwriter” information operation of 2020, which targeted Nato.
In 2020, Reseachers at the cyber security company FireEye uncovered a disinformation campaign which distributed fake news content through compromised news websites in order to discredit Nato. Fireeye named this information operation “Ghostwriter, based on its use of inauthentic personas posing as locals, journalists and analysts within the target countries to post articles and op-eds referencing the fabrications as source material to a core set of third-party websites that publish user-generated content”. This information operation was performed unlike previous ones, since it didn’t spread through social networks, but instead used compromised content management systems (CMS) of news websites or faked email accounts in order to disseminate disinformation.
In November last year, the Belarusian security service KGB was accused by Meta (formerly known as Facebook) for organising an online disinformation campaign in connection to the Belarus-EU migrant crisis. According to Meta, it had identified and removed 41 Facebook accounts, four Instagram accounts and five Facebook groups linked to the KGB. Meta said that these accounts used “deepfake” technology in order to create convincing profile pictures and posted criticism of Poland’s handling of the migrant situation in English, Polish and Kurdish.