What happened
CERT Polska, Poland’s national computer emergency response team, warned on Friday that GhostWriter, a Belarus-linked hacking group also tracked as UNC1151 and Storm-0257, has expanded its phishing operations to target personal Gmail accounts belonging to senior Polish public figures, their relatives, and social contacts. The shift represents a tactical expansion from the group’s previous focus on work accounts and Polish email provider services.
The campaign has been active since March 2026, with CERT Polska observing new phishing domains appearing almost daily in recent weeks. Primary targets include government officials, researchers, journalists, public administration employees, and law enforcement personnel, along with their family members. Regional campaigns have also targeted specific professional groups including translators and court experts. The attackers do not always have exact email addresses and have been observed guessing likely Gmail addresses, resulting in phishing messages reaching unintended recipients with similar names.
GhostWriter’s phishing campaigns are designed to steal login credentials and two-factor authentication codes to gain full account access. Once inside, attackers search for contact lists, sensitive documents, and linked online accounts to identify additional targets or take over social media profiles. The group has been linked to Belarusian state intelligence services and has been active against Polish targets since Russia’s full-scale invasion of Ukraine. Beyond credential theft, GhostWriter conducts influence and disinformation operations aimed at undermining Poland’s relationships with Ukraine, the United States, and NATO. Earlier this year, the group used fake notifications from an online learning platform to distribute malware to Ukrainian government officials.
Who is affected
Polish government officials, public figures, journalists, researchers, and law enforcement personnel are confirmed targets, along with their family members and social contacts. The campaign’s geographic and professional targeting patterns suggest anyone with visible public roles or connections to targeted individuals in Poland faces potential exposure. Ukrainian government agencies and military organizations have also been previously targeted by the same group.
Why CISOs should care
GhostWriter’s expansion to personal Gmail accounts is a deliberate attempt to bypass the endpoint controls, monitoring, and MFA configurations that organizations typically apply to work accounts. Personal accounts used by employees and public figures are frequently less hardened, may not have phishing-resistant MFA enabled, and are outside the visibility of organizational security teams. For security leaders responsible for protecting senior officials, executives, or public-facing personnel, this campaign is a direct signal that the attack surface extends beyond corporate infrastructure to personal digital identities.
The targeting of family members and social contacts is also operationally significant. It broadens the attack surface to individuals who may have no security awareness training and whose compromised accounts can be used to reach the primary target through trusted personal channels.
3 practical actions
- Brief senior officials, executives, and public-facing employees on GhostWriter’s personal account targeting and enforce phishing-resistant MFA on personal Gmail accounts: Standard TOTP-based MFA is vulnerable to real-time phishing of authentication codes, which is exactly what GhostWriter’s campaigns are designed to capture. Encourage enrollment in Google’s Advanced Protection Program, which enforces hardware security key authentication, for high-risk individuals and their immediate family members where feasible.
- Extend security awareness training to cover personal account phishing and the risk of family member targeting: Most organizational security training focuses on work account threats. Brief senior personnel on the specific risk that their personal Gmail accounts and those of their family members are active targets, and provide guidance on recognizing credential phishing pages designed to mimic Google login flows.
- Monitor for GhostWriter indicators published by CERT Polska and block newly registered phishing domains at the network perimeter: CERT Polska has documented near-daily registration of new phishing domains in this campaign. Integrate their threat intelligence feeds and block known GhostWriter infrastructure at DNS and network levels for managed devices, and consider sharing indicators with employees for personal device protection.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.