Ten artykuł czytasz w ramach bezpłatnego limitu

Follow the big issues that shape Polish politics and society by signing up to our weekly newsletter "News from Poland: Democracy at Stake". It allows you to stay up to speed on developments concerning the ongoing assault on democratic institutions, rule of law, and human rights in Poland.

Presenting the information as the "findings of the Internal Security Agency and the Military Counterintelligence Service", on Tuesday, the spokesperson for the Polish Minister-?Coordinator of the Intelligence and Security Services Stanisław Żaryn reported that Poland has been the target of a cyber-attack conducted by a group named "UNC1151". The operation is codenamed "Ghostwriter", and "the Polish intelligence services have gathered information proving the links between the attackers and Russian special services". One of the victims of their attack is supposed to be Michał Dworczyk, head of the chancellery of Poland’s Prime Minister.

For the past two weeks, sensitive information from Mr Dworczyk’s private mailbox, including email exchanges between high-level government officials, has been regularly published in a group on the Russian messaging app Telegram.

Methods used by the "Ghostwriter" hackers

It doesn’t require an extensive analysis to see that the alleged "findings" of the Polish intelligence services overlap with the content of two reports published in July 2020 and April 2021 on the website of the American cybersecurity company Fireeye (owned by the Mandiant group). As it turns out, however, Stanford University ran a parallel investigation into cyberattacks on European email and social media accounts as well. The project was carried out by Anna Gielewska and Konrad Szczygieł, journalists from the Reporters’ Foundation.

Their report was originally published in English on March 30, 2021, and a Polish summary appeared on tvn24.pl/premium on April 5. The 30 pages long report contains all the elements that the Polish intelligence services refer to as "their findings". Experts from the Mandiant group and Stanford University worked on the report for many months, analyzing all high-profile cases of "hacking" into the accounts of Polish politicians and government institutions. In their research, they established the following modus operandi of the "Ghostwriter" hackers:

„It starts with a phishing attack. The hackers fabricate social media posts or use other electronic services to steal a person’s login and password. An effective phishing attack allows hackers to take over your email account, including a list of contacts, and if the inbox is connected to social media or the same password is used in several accounts, the door opens to use other accounts and access the content stored on the individual’s phone. Twitter and Facebook accounts seized in a phishing attack are then used in a disinformation campaign.

Shocking tweets allegedly posted by politicians, although they are a spectacular aspect of the campaign, are only the tip of the iceberg. The phishing attack may use fake websites that claim to be managed by state institutions, hacked and real news websites or official websites of the institutions, as well as correspondence from other hijacked email accounts".

According to the report, "it is a long-term, organized and wide-ranging disinformation operation that requires a lot of effort and resources. Its exact goals are still unclear".

Having accessed the account of a targeted person, the "Ghostwriter" conducts two types of activities. The first one is the publication of completely false and sensational information (including pictures), which is then sent to Twitter and Facebook users and presented as coming directly from public figures, politicians, or government institutions. The second type is the publication of doctored e-mails, posts, and messages. In both cases, the aim is to make the recipient believe that they are dealing with a legitimate account.

A fake radioactive incident

The examples of hacks analyzed in the report were clearly calculated to compromise specific individuals or sow panic.  Researchers describe the mechanism showing how false information with the potential to cause panic and civil disorder usually spreads:

"On March 17, a fake article about a radioactive cloud that originated in Lithuania is published on the website of the National Atomic Energy Agency (PAA), sounding a dire warning that Poland is facing an ecological disaster. The news published on PAA website is based on a report published by the Lithuanian Nuclear Power Safety Inspectorate (VATESI). The cybersecurity portal niebezpiecznik.pl reported that the fabricated report was published on a fake website – its address had an "l" replaced by an "i": vatesl.lt.

Five minutes after vatestl.lt reports a ‘radioactive incident’ in Lithuania, hackers publish a fake announcement with a warning about a radioactive cloud on the PAA website. After another several dozen minutes, similar information is published on zdrowie.gov.pl, the official website of the Polish Ministry of Health, this time the fabricated text focuses on the symptoms of radiation sickness.

Then such fake-news media reports go global – hackers re-tweet them using the account of a right-wing journalist and a Russia expert Marek Budzisz. The account, which the hackers control for a few hours, shares the tweet dozens of times, tagging, among others, Poland’s Prime Minister Mateusz Morawiecki. It also links to the hacked pages of PAA and the Ministry of Health and their copies in web archives.

The fake story is also shared from the accounts of two local PiS activists: Mirosław Walicki – the starost of Garwolin and Andrzej Rochmiński, head of local party structures in Zielona Góra. The hackers expect the information will quickly be removed from the official PAA website, so they use the Facebook profiles of councilors to post entries that link to the archived version of the warning on PAA website. As a result, information about the radioactive cloud is still available to those who follow the councilors’ profiles" (including key members of the opposition).

Authors of the report emphasize the far-reaching scale of the operation: "As reported by niebezpiecznik.pl, the entire PAA content management system (CMS), or even a company that supports government administration institutions, has probably been hacked. That day, Poland’s National Atomic Energy Agency labels this as fake news. A few hours later Marek Budzisz informs that he has regained control of his Twitter account".

As the fact-checking portal Konkret24 has observed, for some reason, the false information was not picked up by the public, even though that the attack coincided with the talks of the Polish and French governments about the construction of a nuclear power plant in Poland.

Sources cited by the authors of the report claim that Mr Budzisz’s and Walicki’s email addresses had previously been on a long list of accounts hacked as part of an organized phishing operation targeting mailboxes of MPs and government officials.

The authors have also found that "the fake story that ran on a fabricated website was a manipulation of an authentic VATESTI announcement about public consultations on a radioactive waste storage site, which had run on local websites just hours earlier. The website vatesl.lt was set up on the same day, several hours before the attack".

Smaller attacks

It was probably the most serious and far-reaching attack the "Ghostwriter" had successfully conducted. Others were significantly smaller. The report also mentions the hacking of Twitter accounts of Law and Justice MPs Marek Suski and Marcin Duszek. In both cases, their accounts contained morally dubious and pornographic pictures. The Ministry of National Defence was attacked in a similar way: hackers fabricated a story about an attractive female officer of the Polish Armed Forces being "offered" by the commanding officers to foreign delegations. The Twitter account of minister Marzena Maląg was compromised as well. In her case, the attacker used the account to post offensive information about Women’s Strike activists.

The three-headed cybersecurity dragon

Having analyzed each of these cases, the authors of the report conclude that the authorities responsible for protecting politicians and government institutions from cyber threats failed to react appropriately. The warnings that politicians received were simply ignored. As we read in the report, "in theory, it is the three-headed dragon called the Computer Security Incident Response Team who is responsible for protecting the most important people in Poland against cyberattacks".

The „three heads" include NASK (Scientific and Academic Computer Network at the National Research Institute), GOV (run by the Internal Security Agency or ABW), and the Ministry of National Defence, as well as what remains of the digitization department transferred to the Prime Minister’s Chancellery a few months ago.

When asked whether the prosecutor’s office is carrying out proceedings filed by the Internal Security Agency (ABW) or other services that result from cyberattacks on politicians, the Warsaw prosecutor’s office sent a brief reply: "No proceedings have been found to meet the criterion included in the question."

The authors sent similar questions to the Prime Minister’s Chancellery. Here, the answer was somewhat more specific: "over the past twelve months, several dozen attacks have been detected against private email accounts and social networking sites used by public officials. The exact scale of these attacks is unknown, as not all of them have been reported by people who fell victim," the Department for Promotion of Digital Policy at the Prime Minister’s Chancellery wrote in response, adding that the proceedings, after the individuals reported they have fallen victim to cyberattacks, are conducted by law enforcement agencies – the prosecutor’s office and the police".

According to the report, „such a large and long-term operation should be viewed as a critical incident. However, despite several meetings between the Internal Security Agency, the Prime Minister’s Chancellery and Government Security Center (RCB), it has not been treated as a major threat". Instead, "in November 2020, the government plenipotentiary for cybersecurity, Marek Zagórski (former minister of the now-defunct Ministry of Digitization), sent a letter to the Speaker of the Sejm addressed to the parliamentary caucus, in which he informed that email address was created to handle reports on phishing attacks. The Prime Minister’s Chancellery has also prepared an illustrated guide for MPs that explains how to stay safe online". Asking several MPs about the distributed guides, the authors concluded that "none of them has seen it".

Jan Grabiec, a Civic Coalition (KO) MP and the chairman of the parliamentary committee for digitization, innovation, and new technologies, said that shortly after the initial phishing attacks, parliamentarians received notifications on their official tablets to be careful when using the internet.

Public officials, private mailboxes

But what do the "Ghostwriter" hacks have to do with leaks from Mr Dworczyk’s private mailbox? Dr Anna Mierzyńska, who is associated with the OKO.press portal, says that she is "skeptical" as to whether the same group was behind both attacks. -So far, the group was mainly spreading disinformation by means of false websites and compromised accounts. There was no example of the group publishing documents from the same source for an extended period of time- she said. would be published for such a long time". And that was exactly the case when sensitive information from Mr Dworczyk’s private email account started to appear in a group on Telegram.

The materials continue to appear online, and no one has yet denied their authenticity. Topic-wise, the leaked documents and email exchanges do not seem to follow any specific key. Ms Mierzyńska does not rule out the possibility that "Ghostwriter" "may have changed its method of operation".

While officials continue to deny that the potential source of the leak could have been someone from Mr Dworczyk’s immediate circle, the Internal Security Agency, which conducts the ongoing investigation, is still examining the possibility. Mr Dworczyk himself claims that he fell victim to a cyberattack coordinated by the Russians.

In a conversation with the authors of the report, the aforementioned MP Mr Grabiec asked them to send their questions to... his private mailbox, explaining that "his official email is full of spam".

Today, it is clear that Mr Dworczyk is not the only high-level government official using his private mailbox for official correspondence. Prime Minister Morawiecki, several ministers, advisers, and heads of government agencies are following the same pattern.  As a matter of fact, messages from official government accounts are sent only by lower-level officials, and their addressees (such as Mr Dworczyk) often forward them to private mailboxes anyway. If politicians refuse to follow even such basic security measures, no government agency is capable of protecting their mailboxes from cyberattacks.


Every day, 400 journalists at Gazeta Wyborcza write verified, fact-checked stories about Polish politics and society, keeping a critical eye on the ruling camp’s persistent assault on democratic values and the rule of law; the growing cultural tension between religious fundamentalism and human rights; and the ongoing COVID-19 epidemic. Our journalists are on the front lines in 25 Polish cities, reporting from the streets, hospitals, and courtrooms about issues that move public opinion.

We decided to make our service available to everyone free of charge in order to provide access to high quality journalism for expats and English speakers interested in Polish affairs. 

The access to information should be equal for all.

Gazeta Wyborcza Foundation
Czytaj ten tekst i setki innych dzięki prenumeracie

Wybierz prenumeratę, by czytać to, co Cię ciekawi

Wyborcza.pl to zawsze sprawdzone informacje, szczere wywiady, zaskakujące reportaże i porady ekspertów w sprawach, którymi żyjemy na co dzień. Do tego magazyny o książkach, historii i teksty z mediów europejskich. Zrezygnować możesz w każdej chwili.