Prevailion, which specializes in compromise breach monitoring and cyber adversary intelligence, says it’s discovered new operational details for UNC1151. What’s that? It’s a suspected Russian state-sponsored cyber threat actor that “has been involved in cyber espionage and online disinformation and influence campaigns throughout Europe,” according to Prevalilion.
About the report
The company’s researchers say they’ve determined that UNC1151’s online infrastructure is three times larger than what has been previously documented, and its malicious cyber activities are broader and more aggressive than was originally suspected. These operations are also continuing to evolve and expand, says CEO Karim Hijazi.
What is UNC1151?
UNC1151 is a cyber threat actor that is believed to be backed by the Kremlin and responsible for a series of ongoing malicious activities throughout Europe known as “Ghostwriter”. These activities involve anti-NATO disinformation campaigns, cyber espionage and politically damaging hack-and-leak operations.
This group was first identified by FireEye’s Mandiant in April 2021, as a follow-up to its July 2020 report which first identified the Ghostwriter campaign. Additional research on UNC1151 and Ghostwriter have been carried out by several other companies, including ThreatConnect, DomainTools and VSQUARE.
Among other things, Prevailion’s Adversarial Counterintelligence Team (PACT) says it identified domain and subdomain naming themes that indicate a change in targeting around 2020/2021, as Ghostwriter targeted European Apple (iPhone and iCloud) and PayPal users, as well as European users of popular regional web service providers like OVH Telecom and global tech giants like Google, Microsoft, Twitter, and Facebook.