Prevailion Issues New Threat Intelligence Updates for Suspected Russian Disinformation Group UNC1151

HOUSTON--()--Prevailion, a global leader in Compromise Breach MonitoringTM and cyber adversary intelligence, has discovered new operational details for UNC1151, a suspected Russian state-sponsored cyber threat actor, which has been involved in cyber espionage and online disinformation and influence campaigns throughout Europe.

Prevailion’s researchers have determined that UNC1151’s online infrastructure is three times larger than what has been previously documented, and its malicious cyber activities are broader and more aggressive than was originally suspected. These operations are also continuing to evolve and expand.

“The specially-crafted phishing infrastructure we uncovered is extensive for a disinformation campaign and shows that they built this for long-term resilience and probably have financial backing of some kind, which reinforces the state-sponsored suspicions,” said Karim Hijazi, CEO of Prevailion. “The domains we discovered appear to be the group’s backup infrastructure, which they likely switched to after security researchers exposed other domains in previous reporting. This shows a high level of sophistication, as UNC1151 seems to have anticipated some level of domain attrition by the security community and had backups in place to maintain their operation with limited, if any, disruption.”


UNC1151 is a cyber threat actor that is believed to be backed by the Kremlin and responsible for a series of ongoing malicious activities throughout Europe known as “Ghostwriter”. These activities involve anti-NATO disinformation campaigns, cyber espionage and politically damaging hack-and-leak operations.

This group was first identified by FireEye’s Mandiant in April 2021, as a follow-up to its July 2020 report which first identified the Ghostwriter campaign. Additional research on UNC1151 and Ghostwriter have been carried out by several other companies, including ThreatConnect, DomainTools and VSQUARE.


Prevailion’s Adversarial Counterintelligence Team (PACT) used advanced infrastructure hunting techniques and Prevailion’s unique visibility into threat actor infrastructure creation to uncover previously unknown domains associated with UNC1151 and the “Ghostwriter” influence campaign.

In a report published today, Prevailion details the following findings:

  • PACT assesses with Moderate to High Confidence that there are 81 additional, unreported malicious domains clustered with the activity that FireEye and ThreatConnect detailed in their respective reports. This makes UNC1151’s online infrastructure almost three times larger than was originally documented.
  • PACT also assesses with High Confidence that UNC1151 has targeted additional European entities outside of the Baltics, Poland, Ukraine and Germany, for which no previous public reporting exists.
  • PACT identified domain and subdomain naming themes that indicate a change in targeting around 2020/2021, as Ghostwriter targeted European Apple (iPhone and iCloud) and PayPal users, as well as European users of popular regional web service providers like OVH Telecom and global tech giants like Google, Microsoft, Twitter, and Facebook.

“Based on our counterintelligence collection, we believe that UNC1151 is positioned for a much wider operation, both in Europe and potentially beyond,” said Hijazi. “A common tactic used by Russian groups is to test specific cyber tactics and strategies in countries like Ukraine or the Baltics first, before deploying them against larger national targets.”

To read the full report, go to:


Prevailion is the world’s first Continuous Breach MonitoringTM company, transforming the way organizations approach compromise detection and breach prevention to drastically improve security operations. Through next-level tailored intelligence and a zero-touch platform, Prevailion provides a full view of confirmed “Evidence of Compromise'' (EOC) for customers and their partner ecosystems. Prevailion is funded by AllegisCyber Capital, DataTribe, Allstate Strategic Ventures, Legion Capital, Irongrey and Accenture Ventures. To learn more about Prevailion, visit


Michael Sias
Firm 19 for Prevailion


Release Summary

Leading cyber intelligence company Prevailion discovers new online infrastructure for suspected Russian cyber threat actor, UNC1151.


Michael Sias
Firm 19 for Prevailion