// TL;DR
- Ghostwriter blends credential theft with fabricated content to seed false narratives.
- Trusted inboxes and real websites get hijacked to lend the lies credibility.
- The target is perception, not just data.
- Defense: verify before amplifying, and treat unexpected 'leaks' as suspect by default.
What happened
Not every cyber operation steals money or data. Some steal belief. The Ghostwriter playbook is a long-running influence campaign that pairs old-fashioned credential theft with content fabrication to push narratives that serve a state's interests.
The mechanics matter because they explain why it works. Operators compromise real accounts and, in some cases, real content management systems. From there they plant fabricated articles on legitimate-looking outlets, or send messages from inboxes the recipient already trusts. The forgery does not have to be perfect; it has to arrive through a trusted channel.
That trusted channel is the human attack vector. A reader who would dismiss a random link will pause on the same claim if it appears on a familiar site or lands from a known colleague. The operation exploits the shortcut your brain takes when the source looks safe.
Defending against this is less about firewalls and more about habits. Verify surprising claims through a second independent source before you amplify them. Treat unexpected leaks and too-perfect documents as suspect. And for organizations, protect the publishing pipeline as carefully as the data, because a hijacked byline is as damaging as a stolen database.
Influence operations do not need to hack you. They need you to forward something before you check it.
How to defend against it
The through-line of every threat level: human briefing is the same: the exploited control is human, so the durable defense is a habit, not just a product. Watch the full breakdown above, and subscribe on YouTube for the weekly decode.
<- back to all episodes