GhostWriter Expands Phishing to Personal Gmail Accounts of Polish Officials and Families
Poland warns that the Belarus-linked GhostWriter group is now targeting personal Gmail accounts of senior public figures and their relatives in an expanded phishing campaign.
Poland has warned that a Belarus-linked hacker group has expanded its phishing operations to target personal Gmail accounts belonging to senior public figures and their relatives. The group, known as GhostWriter, has previously focused on compromising work accounts and email services hosted by Polish email providers. Since March, however, its campaigns have increasingly targeted Gmail users, according to CERT Polska, the country's national computer emergency response team.
The campaign has primarily targeted people involved in political and public life, including government officials, researchers, journalists, public administration employees and law enforcement personnel, as well as family members and social contacts. CERT Polska said GhostWriter remains one of the most active state-sponsored threat actors monitored by the agency. "In recent weeks, our team has observed the use of new domains serving phishing pages almost daily," researchers said in a report on Friday.
GhostWriter's phishing campaigns are designed to steal login credentials and two-factor authentication codes, allowing attackers to gain access to victims' email accounts. Once inside, the hackers typically search for contact lists, sensitive documents, and linked online accounts that can be exploited to identify additional targets or take over social media profiles. Researchers said the attackers do not always know the exact email address of their intended target and sometimes rely on guessing likely Gmail addresses, resulting in phishing messages being sent to unrelated people with similar names. The agency has also observed campaigns targeting specific regions and professional groups, including translators and court experts.
GhostWriter, also tracked as UNC1151 and Storm-0257, has been linked by cybersecurity researchers to Belarusian state intelligence services and has been active against Polish targets since Russia's full-scale invasion of Ukraine. Beyond credential theft, the group has conducted influence and disinformation operations aimed at undermining Poland's relationships with Ukraine, the United States and NATO while fueling domestic social tensions.
The hackers have also targeted Ukrainian government agencies and military organizations. Earlier this year, researchers said GhostWriter used fake emails disguised as notifications from a popular online learning platform to distribute malware to Ukrainian government officials. In a separate campaign uncovered by cybersecurity firm SentinelOne last year, the group was seen targeting Belarusian opposition activists.
The expansion to personal Gmail accounts marks a significant shift in GhostWriter's tactics, as it allows the group to bypass security measures on official government email systems and target individuals in their personal lives. This approach also enables the attackers to compromise family members and social contacts, potentially gaining access to sensitive information through less secure personal accounts. The Polish government has urged public figures and their families to remain vigilant and implement additional security measures, such as enabling two-factor authentication and being cautious of unsolicited emails.
This development underscores the persistent threat posed by state-sponsored hacking groups in the region and the evolving nature of their tactics. As GhostWriter continues to adapt its methods, cybersecurity agencies in Poland and beyond will need to stay ahead of these threats to protect high-value targets from credential theft and espionage.