Meta alerted all users targeted by the group in recent days, and blocked phishing domains being used by to compromise accounts.
Ghostwriter was linked by cybersecurity group Mandiant last year to the Belarusian government. Last week Ukraine’s cybersecurity agency released a statement accusing the group of sending mass phishing emails to military personnel and their families.
David Agronovich, the director of threat disruption at Meta, told reporters Sunday night that he thinks the “targeting and potential compromise” perpetrated by Ghostwriter goes beyond Meta’s platforms.
Disinformation efforts: Meta also removed and blocked a network of coordinated inauthentic behavior made up of 48 accounts, pages and groups posing as fictitious Kyiv news editors, an aviation expert and independent news outlets. The network had a following of under 4,000 accounts on Facebook and less than 500 Instagram accounts. The accounts, pages and groups were based in Russia and Ukraine and targeted Ukrainians by spreading falsehoods.
Nathaniel Gleicher, head of security policy at Meta, told reporters he was encouraged by the fact that his teams, with help from other companies and the government, found these accounts before they built large audiences.
Previous steps taken: The news came on the heels of multiple efforts by Meta to address security and privacy concerns for users stemming from the Russian invasion of Ukraine. Meta has banned ads from Russian state media, applied labels to content from Russian state media and expanded both Russian-language and Ukrainian-language fact-checking operations.
Gleicher said that more steps were being taken by Meta to secure accounts in Ukraine and Russia. Users in Russia and Ukraine can now lock their profiles, and Facebook has temporarily blocked the ability to search through friends lists of Ukrainian users to protect people who might be targeted.
Gleicher declined to detail any further steps the company planned to take, but said that the company is “continuing to evaluate a full range of options.”
Gleicher declined to comment on reports that Russia was planning to throttle Facebook operations in the country, noting that “our teams will be working on this.”