# GhostWriter Shifts Focus to Personal Gmail Accounts Poland's national computer emergency response team, **CERT Polska**, has issued a stark warning regarding the evolving tactics of the **GhostWriter** hacker group. Also tracked as **UNC1151** and **Storm-0257**, this Belarus-linked threat actor has expanded its phishing campaigns to include personal **Gmail** accounts, a significant shift from its previous focus on work-related email services. ## Escalating Threat to Public Figures and Their Families Since March, **GhostWriter** has increasingly targeted individuals in political and public life, including government officials, researchers, journalists, public administration employees, and law enforcement personnel. Alarmingly, the scope now extends to their family members and social contacts, amplifying the potential for compromise and secondary attacks. **CERT Polska** highlights that **GhostWriter** remains one of the most active state-sponsored threat actors under their surveillance. Researchers noted, "In recent weeks, our team has observed the use of new domains serving phishing pages almost daily," indicating a persistent and aggressive operational tempo. ## Modus Operandi: Credential and 2FA Theft The primary objective of **GhostWriter**'s phishing campaigns is to steal login credentials and two-factor authentication (2FA) codes. Gaining access to victims' email accounts allows the attackers to exfiltrate contact lists, sensitive documents, and identify linked online accounts. This information is then leveraged to pinpoint additional targets or to hijack social media profiles, furthering their influence operations. Intriguingly, the attackers do not always possess the precise email addresses of their intended targets. They sometimes resort to guessing likely **Gmail** addresses, which has led to phishing messages being sent to unrelated individuals with similar names. Campaigns have also been observed targeting specific regions and professional groups, such as translators and court experts. ## A History of Disinformation and Cyber Espionage **GhostWriter** has been consistently linked by cybersecurity researchers to Belarusian state intelligence services and has been active against Polish targets since Russia's full-scale invasion of Ukraine. Beyond credential theft, the group is notorious for its influence and disinformation operations, specifically aimed at undermining Poland's relationships with Ukraine, the United States, and **NATO**, while simultaneously fueling domestic social tensions. The group's malicious activities also extend to Ukrainian government agencies and military organizations. Earlier this year, reports indicated that **GhostWriter** utilized fake emails disguised as notifications from a popular online learning platform to distribute malware to Ukrainian government officials. Furthermore, a separate campaign uncovered by **SentinelOne** last year revealed the group targeting Belarusian opposition activists, showcasing the breadth of its operational scope.