Facebook has kicked the so-called hacker network Ghostwriter from the platform. Ghostwriter targeted Ukrainian military personnel. Phishing attacks were used to try to take over their social media accounts and use fake posts to persuade Ukrainian soldiers to give up. This is what the current meta-danger report reports in its Ukraine security update ( HERE ).
Significant increase in attacks by ghostwriters
Facebook reported a significant increase in attacks on Ukrainian military accounts in its April 7 report.
As we've shared before, Ghostwriter typically targets people through email compromise and then uses that to gain access to their social media accounts across the internet. Since our last public update, this group has attempted to hack into the Facebook accounts of dozens of Ukrainian military personnel. In a handful of cases, they posted videos calling on the Army to surrender as if these posts were coming from the legitimate account owners. We blocked these videos from being shared.
(HERE)
As we've previously reported, ghostwriters typically target people by compromising their email and then gaining access to their social media accounts via the Internet. Since our last public update on February 27, this group has attempted to hack into the Facebook accounts of dozens of Ukrainian military personnel. In some cases, videos calling for the army to surrender were posted as if these posts came from the legitimate account holders. We have blocked these videos from being shared.
Translated with www.DeepL.com/Translator (free version)
In the aforementioned update from February 27, the parent company of Facebook, WhatsApp and Instagram, Meta, had stated that ghostwriters
“attempts to target people on Facebook to post YouTube videos portraying Ukrainian troops as weak and surrendering to Russia, including one video claiming to show Ukrainian soldiers coming out of a forest while flying a white flag of surrender.” Meta said it had “taken steps to secure accounts that we believe were targeted by this threat actor” and “blocked phishing domains these hackers used to try to trick people in Ukraine into compromising their online accounts.”
Translated with www.DeepL.com/Translator (free version)
“Attempts discovered to target people on Facebook to post YouTube videos that portrayed Ukrainian troops as weak and surrendered to Russia, including a video purporting to show Ukrainian soldiers emerging from a forest waving a white flag of surrender.”
Translated with www.DeepL.com/Translator (free version)
Meta explained that it had taken various steps to secure the accounts that were the focus of hackers and were therefore particularly at risk. For example, relevant phishing domains were blocked. However, Ghostwriter continued its attacks and hacked into the accounts of Ukrainian military personnel.
Who is a ghostwriter?
The name of this hacker collective first came to light when the cyber security company Mandiant ( HERE ) used it to describe a campaign that was intended to influence the public perception of NATO's presence in Eastern Europe. This campaign, in turn, is said to be closely linked to a cyber espionage group called UNC1151, which in turn is said to have close ties to the Belarusian government.
More networks removed
Facebook has not only removed ghostwriters from the platform, but has also identified other malicious networks. This was, among other things, a group of Russian accounts that wanted to get accounts that had been attacked to be deleted by Facebook via mass notifications. Meta reports that a network has been removed due to inauthentic behavior as part of its policy against mass reporting. This has repeatedly misused the reporting tool to report people in Ukraine and Russia for fictitious violations of Facebook guidelines and thus silence them ( HERE ).
What is notable in this context is the fact that the group's attacks increased following Russia's invasion of Ukraine.
The now-removed accounts “relied on fake, authentic, and duplicate accounts to submit hundreds—in some cases, thousands—of complaints against their targets through our abuse reporting tools.” The group's activity increased in mid-February, before Russia's invasion of Ukraine.
The now-removed accounts “relied on fake, authentic and duplicate accounts to file hundreds – in some cases thousands – of complaints against their targets through our abuse reporting tools.” The group's activities increased in mid-February, before Russia's invasion of Ukraine.
Translated with www.DeepL.com/Translator (free version)
Around 50 users came together in a group on the topic of cooking to carry out mass reporting on a large scale using accounts that were partly fake, partly authentic, partly duplicate.
In individual cases there were hundreds to thousands of reports. Not only Ukrainians were addressed, but also people in Russia, Israel, the United States and Poland. Facebook became aware of the practices through its own investigations and its own automatic systems and deactivated the corresponding accounts.
Fictional AI-generated personas
Another network that acted with unfair intent involved various Russian Facebook and Instagram accounts that targeted Ukrainian users. Here, artificial intelligence was used to generate personas and brands, which were built with great effort into credible accounts in order to survive the scrutiny of the platforms and analysts. Here, for example, photorealistic images of people who never existed were created using GAN technology ( HERE ).
Secure Facebook accounts in Ukraine and Russia
In its security report, Facebook also provides specific assistance on how users in general and particularly vulnerable users in particular can secure their accounts.
Users in Ukraine and Russia are strongly advised to increase the security of their online accounts, including email and social media. To protect online accounts and maintain access to social media and other websites blocked in your country, Facebook advises:
- Download a VPN app to your devices to access blocked websites, such as: B. social media, via an encrypted connection
- Enabling two-factor authentication using a third-party authentication app such as Google Authenticator or Duo
- Using strong passwords that are unique to each account. No password recycling.
Conclusion
Various networks and user groups are trying to attack Ukrainian and Russian users via Facebook and the other meta-platforms such as WhatsApp and Instagram, to hack their accounts and misuse them to spread Russia-friendly propaganda material or to have them deleted from the platforms. Members of the Ukrainian military were particularly targeted by hackers. The hacker network Ghostwriter is said to be responsible for attacks on the accounts of Ukrainian military personnel, through which, among other things, videos were distributed that were intended to demoralize Ukrainian soldiers and persuade them to give up.
All top topics from yesterday: https://www.mimikama.org/tagesthemen
If you enjoyed this post and value the importance of well-founded information, become part of the exclusive Mimikama Club! Support our work and help us promote awareness and combat misinformation. As a club member you receive:
📬 Special Weekly Newsletter: Get exclusive content straight to your inbox.
🎥 Exclusive video* “Fact Checker Basic Course”: Learn from Andre Wolf how to recognize and combat misinformation.
📅 Early access to in-depth articles and fact checks: always be one step ahead.
📄 Bonus articles, just for you: Discover content you won't find anywhere else.
📝 Participation in webinars and workshops : Join us live or watch the recordings.
✔️ Quality exchange: Discuss safely in our comment function without trolls and bots.
Join us and become part of a community that stands for truth and clarity. Together we can make the world a little better!
* In this special course, Andre Wolf will teach you how to recognize and effectively combat misinformation. After completing the video, you have the opportunity to join our research team and actively participate in the education - an opportunity that is exclusively reserved for our club members!
Notes:
1) This content reflects the current state of affairs at the time of publication. The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic. 2) Individual contributions were created through the use of machine assistance and were carefully checked by the Mimikama editorial team before publication. ( Reason )

